GCC Code Coverage Report


Directory: ./
File: src/tests.c
Date: 2023-03-03 16:58:32
Exec Total Coverage
Lines: 3808 3860 98.7%
Functions: 141 143 98.6%
Branches: 1639 2556 64.1%

Line Branch Exec Source
1 /***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14
15 #include <time.h>
16
17 #include "secp256k1.c"
18 #include "../include/secp256k1.h"
19 #include "../include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
21 #include "util.h"
22
23 #include "../contrib/lax_der_parsing.c"
24 #include "../contrib/lax_der_privatekey_parsing.c"
25
26 #include "modinv32_impl.h"
27 #ifdef SECP256K1_WIDEMUL_INT128
28 #include "modinv64_impl.h"
29 #endif
30
31 #define CONDITIONAL_TEST(cnt, nam) if (count < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
32
33 static int count = 64;
34 static secp256k1_context *ctx = NULL;
35
36 436809 static void counting_illegal_callback_fn(const char* str, void* data) {
37 /* Dummy callback function that just counts. */
38 436809 int32_t *p;
39 436809 (void)str;
40 436809 p = data;
41 436809 (*p)++;
42 436809 }
43
44 1 static void uncounting_illegal_callback_fn(const char* str, void* data) {
45 /* Dummy callback function that just counts (backwards). */
46 1 int32_t *p;
47 1 (void)str;
48 1 p = data;
49 1 (*p)--;
50 1 }
51
52 313460 void random_field_element_test(secp256k1_fe *fe) {
53 114 do {
54 313574 unsigned char b32[32];
55 313574 secp256k1_testrand256_test(b32);
56
2/2
✓ Branch 1 taken 114 times.
✓ Branch 2 taken 313460 times.
313574 if (secp256k1_fe_set_b32(fe, b32)) {
57 break;
58 }
59 } while(1);
60 313460 }
61
62 2833408 void random_field_element_magnitude(secp256k1_fe *fe) {
63 2833408 secp256k1_fe zero;
64 2833408 int n = secp256k1_testrand_int(9);
65 2833408 secp256k1_fe_normalize(fe);
66
2/2
✓ Branch 0 taken 314081 times.
✓ Branch 1 taken 2519327 times.
2833408 if (n == 0) {
67 314081 return;
68 }
69 2519327 secp256k1_fe_clear(&zero);
70 2519327 secp256k1_fe_negate(&zero, &zero, 0);
71 2519327 secp256k1_fe_mul_int(&zero, n - 1);
72 2519327 secp256k1_fe_add(fe, &zero);
73 #ifdef VERIFY
74 CHECK(fe->magnitude == n);
75 #endif
76 }
77
78 143802 void random_group_element_test(secp256k1_ge *ge) {
79 286705 secp256k1_fe fe;
80 286705 do {
81 286705 random_field_element_test(&fe);
82
2/2
✓ Branch 2 taken 142903 times.
✓ Branch 3 taken 143802 times.
286705 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
83 143802 secp256k1_fe_normalize(&ge->y);
84 143802 break;
85 }
86 } while(1);
87 143802 ge->infinity = 0;
88 143802 }
89
90 24704 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
91 24706 secp256k1_fe z2, z3;
92 24706 do {
93 24706 random_field_element_test(&gej->z);
94
2/2
✓ Branch 0 taken 2 times.
✓ Branch 1 taken 24704 times.
24706 if (!secp256k1_fe_is_zero(&gej->z)) {
95 break;
96 }
97 } while(1);
98 24704 secp256k1_fe_sqr(&z2, &gej->z);
99 24704 secp256k1_fe_mul(&z3, &z2, &gej->z);
100 24704 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
101 24704 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
102 24704 gej->infinity = ge->infinity;
103 24704 }
104
105 128 void random_gej_test(secp256k1_gej *gej) {
106 128 secp256k1_ge ge;
107 128 random_group_element_test(&ge);
108 128 random_group_element_jacobian_test(gej, &ge);
109 128 }
110
111 88109 void random_scalar_order_test(secp256k1_scalar *num) {
112 88877 do {
113 88877 unsigned char b32[32];
114 88877 int overflow = 0;
115 88877 secp256k1_testrand256_test(b32);
116 88877 secp256k1_scalar_set_b32(num, b32, &overflow);
117
4/4
✓ Branch 0 taken 88118 times.
✓ Branch 1 taken 759 times.
✓ Branch 2 taken 9 times.
✓ Branch 3 taken 88109 times.
88877 if (overflow || secp256k1_scalar_is_zero(num)) {
118 768 continue;
119 }
120 88109 break;
121 } while(1);
122 88109 }
123
124 64729 void random_scalar_order(secp256k1_scalar *num) {
125 64729 do {
126 64729 unsigned char b32[32];
127 64729 int overflow = 0;
128 64729 secp256k1_testrand256(b32);
129 64729 secp256k1_scalar_set_b32(num, b32, &overflow);
130
2/4
✓ Branch 0 taken 64729 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 64729 times.
64729 if (overflow || secp256k1_scalar_is_zero(num)) {
131 continue;
132 }
133 64729 break;
134 } while(1);
135 64729 }
136
137 66 void random_scalar_order_b32(unsigned char *b32) {
138 66 secp256k1_scalar num;
139 66 random_scalar_order(&num);
140 66 secp256k1_scalar_get_b32(b32, &num);
141 66 }
142
143 1 void run_util_tests(void) {
144 1 int i;
145 1 uint64_t r;
146 1 uint64_t r2;
147 1 uint64_t r3;
148 1 int64_t s;
149 1 CHECK(secp256k1_clz64_var(0) == 64);
150
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_clz64_var(1) == 63);
151
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_clz64_var(2) == 62);
152
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_clz64_var(3) == 62);
153 CHECK(secp256k1_clz64_var(~0ULL) == 0);
154 CHECK(secp256k1_clz64_var((~0ULL) - 1) == 0);
155
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_clz64_var((~0ULL) >> 1) == 1);
156
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_clz64_var((~0ULL) >> 2) == 2);
157 CHECK(secp256k1_sign_and_abs64(&r, INT64_MAX) == 0);
158 CHECK(r == INT64_MAX);
159 CHECK(secp256k1_sign_and_abs64(&r, INT64_MAX - 1) == 0);
160 CHECK(r == INT64_MAX - 1);
161 CHECK(secp256k1_sign_and_abs64(&r, INT64_MIN) == 1);
162 CHECK(r == (uint64_t)INT64_MAX + 1);
163 CHECK(secp256k1_sign_and_abs64(&r, INT64_MIN + 1) == 1);
164 CHECK(r == (uint64_t)INT64_MAX);
165 CHECK(secp256k1_sign_and_abs64(&r, 0) == 0);
166 CHECK(r == 0);
167 CHECK(secp256k1_sign_and_abs64(&r, 1) == 0);
168 CHECK(r == 1);
169 CHECK(secp256k1_sign_and_abs64(&r, -1) == 1);
170 CHECK(r == 1);
171 CHECK(secp256k1_sign_and_abs64(&r, 2) == 0);
172 CHECK(r == 2);
173 CHECK(secp256k1_sign_and_abs64(&r, -2) == 1);
174 CHECK(r == 2);
175
2/2
✓ Branch 0 taken 10 times.
✓ Branch 1 taken 1 times.
11 for (i = 0; i < 10; i++) {
176 10 CHECK(secp256k1_clz64_var((~0ULL) - secp256k1_testrand32()) == 0);
177 10 r = ((uint64_t)secp256k1_testrand32() << 32) | secp256k1_testrand32();
178 10 r2 = secp256k1_testrandi64(0, r);
179
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
10 CHECK(r2 <= r);
180 10 r3 = secp256k1_testrandi64(r2, r);
181
2/4
✓ Branch 0 taken 10 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 10 times.
10 CHECK((r3 >= r2) && (r3 <= r));
182 10 r = secp256k1_testrandi64(0, INT64_MAX);
183
2/2
✓ Branch 1 taken 4 times.
✓ Branch 2 taken 6 times.
10 s = (int64_t)r * (secp256k1_testrand32()&1?-1:1);
184
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
10 CHECK(secp256k1_sign_and_abs64(&r2, s) == (s < 0));
185
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
10 CHECK(r2 == r);
186 }
187 1 }
188
189 2 void run_context_tests(int use_prealloc) {
190 2 secp256k1_pubkey pubkey;
191 2 secp256k1_pubkey zero_pubkey;
192 2 secp256k1_ecdsa_signature sig;
193 2 unsigned char ctmp[32];
194 2 int32_t ecount;
195 2 int32_t ecount2;
196 2 secp256k1_context *none;
197 2 secp256k1_context *sign;
198 2 secp256k1_context *vrfy;
199 2 secp256k1_context *both;
200 2 secp256k1_context *sttc;
201 2 void *none_prealloc = NULL;
202 2 void *sign_prealloc = NULL;
203 2 void *vrfy_prealloc = NULL;
204 2 void *both_prealloc = NULL;
205 2 void *sttc_prealloc = NULL;
206
207 2 secp256k1_gej pubj;
208 2 secp256k1_ge pub;
209 2 secp256k1_scalar msg, key, nonce;
210 2 secp256k1_scalar sigr, sigs;
211
212
2/2
✓ Branch 0 taken 1 times.
✓ Branch 1 taken 1 times.
2 if (use_prealloc) {
213
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
214 1 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
215 1 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
216 1 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
217
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 sttc_prealloc = malloc(secp256k1_context_preallocated_clone_size(secp256k1_context_no_precomp));
218
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(none_prealloc != NULL);
219
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(sign_prealloc != NULL);
220
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(vrfy_prealloc != NULL);
221
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(both_prealloc != NULL);
222
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(sttc_prealloc != NULL);
223 1 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
224 1 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
225 1 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
226 1 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
227 1 sttc = secp256k1_context_preallocated_clone(secp256k1_context_no_precomp, sttc_prealloc);
228 } else {
229 1 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
230 1 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
231 1 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
232 1 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
233 1 sttc = secp256k1_context_clone(secp256k1_context_no_precomp);
234 }
235
236 2 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
237
238 2 ecount = 0;
239 2 ecount2 = 10;
240
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
241
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
242 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
243
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
244
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
245 2 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
246
247 /* check if sizes for cloning are consistent */
248
2/2
✓ Branch 0 taken 1 times.
✓ Branch 1 taken 1 times.
2 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
249 2 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
250 2 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
251 2 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
252 2 CHECK(secp256k1_context_preallocated_clone_size(sttc) >= sizeof(secp256k1_context));
253
254 /*** clone and destroy all of them to make sure cloning was complete ***/
255 {
256 2 secp256k1_context *ctx_tmp;
257
258
2/2
✓ Branch 0 taken 1 times.
✓ Branch 1 taken 1 times.
2 if (use_prealloc) {
259 /* clone into a non-preallocated context and then again into a new preallocated one. */
260 1 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
261
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
262 1 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
263
264 1 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
265
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
266 1 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
267
268 1 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
269
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
270 1 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
271
272 1 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
273
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
274 1 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
275 } else {
276 /* clone into a preallocated context and then again into a new non-preallocated one. */
277 1 void *prealloc_tmp;
278
279
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
280 1 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
281 1 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
282 1 free(prealloc_tmp);
283
284
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
285 1 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
286 1 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
287 1 free(prealloc_tmp);
288
289
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
290 1 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
291 1 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
292 1 free(prealloc_tmp);
293
294
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
295 1 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
296 1 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
297 1 free(prealloc_tmp);
298 }
299 }
300
301 /* Verify that the error callback makes it across the clone. */
302
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
303
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
304 /* And that it resets back to default. */
305
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 secp256k1_context_set_error_callback(sign, NULL, NULL);
306
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
307
308 /*** attempt to use them ***/
309 2 random_scalar_order_test(&msg);
310 2 random_scalar_order_test(&key);
311 2 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
312 2 secp256k1_ge_set_gej(&pub, &pubj);
313
314 /* Verify context-type checking illegal-argument errors. */
315 2 memset(ctmp, 1, 32);
316
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ec_pubkey_create(sttc, &pubkey, ctmp) == 0);
317
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount == 1);
318 2 VG_UNDEF(&pubkey, sizeof(pubkey));
319
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
320 2 VG_CHECK(&pubkey, sizeof(pubkey));
321
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_sign(sttc, &sig, ctmp, ctmp, NULL, NULL) == 0);
322
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount == 2);
323 2 VG_UNDEF(&sig, sizeof(sig));
324
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
325 2 VG_CHECK(&sig, sizeof(sig));
326
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount2 == 10);
327
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 1);
328
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount2 == 10);
329
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_verify(sttc, &sig, ctmp, &pubkey) == 1);
330
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount == 2);
331
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 1);
332
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount2 == 10);
333
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ec_pubkey_tweak_add(sttc, &pubkey, ctmp) == 1);
334
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount == 2);
335
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 1);
336
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount2 == 10);
337
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ec_pubkey_negate(sttc, &pubkey) == 1);
338
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount == 2);
339
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
340
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount == 2);
341
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
342
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount2 == 11);
343
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ec_pubkey_negate(sttc, &zero_pubkey) == 0);
344
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount == 3);
345
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ec_pubkey_tweak_mul(sttc, &pubkey, ctmp) == 1);
346
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount == 3);
347
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(secp256k1_context_randomize(sttc, ctmp) == 1);
348
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount == 3);
349
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(secp256k1_context_randomize(sttc, NULL) == 1);
350
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount == 3);
351
1/2
✓ Branch 0 taken 2 times.
✗ Branch 1 not taken.
2 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
352
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount2 == 11);
353
1/2
✓ Branch 0 taken 2 times.
✗ Branch 1 not taken.
2 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
354
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(ecount2 == 11);
355
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 secp256k1_context_set_illegal_callback(sttc, NULL, NULL);
356
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
357
358 /* obtain a working nonce */
359 2 do {
360 2 random_scalar_order_test(&nonce);
361
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
362
363 /* try signing */
364
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
365
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
366
367 /* try verifying */
368
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
369
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
370
371 /* cleanup */
372
2/2
✓ Branch 0 taken 1 times.
✓ Branch 1 taken 1 times.
2 if (use_prealloc) {
373 1 secp256k1_context_preallocated_destroy(none);
374 1 secp256k1_context_preallocated_destroy(sign);
375 1 secp256k1_context_preallocated_destroy(vrfy);
376 1 secp256k1_context_preallocated_destroy(both);
377 1 secp256k1_context_preallocated_destroy(sttc);
378 1 free(none_prealloc);
379 1 free(sign_prealloc);
380 1 free(vrfy_prealloc);
381 1 free(both_prealloc);
382 1 free(sttc_prealloc);
383 } else {
384 1 secp256k1_context_destroy(none);
385 1 secp256k1_context_destroy(sign);
386 1 secp256k1_context_destroy(vrfy);
387 1 secp256k1_context_destroy(both);
388 1 secp256k1_context_destroy(sttc);
389 }
390 /* Defined as no-op. */
391 2 secp256k1_context_destroy(NULL);
392 2 secp256k1_context_preallocated_destroy(NULL);
393
394 2 }
395
396 1 void run_scratch_tests(void) {
397 1 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
398
399 1 int32_t ecount = 0;
400 1 size_t checkpoint;
401 1 size_t checkpoint_2;
402 1 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
403 1 secp256k1_scratch_space *scratch;
404 1 secp256k1_scratch_space local_scratch;
405
406 /* Test public API */
407
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
408
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
409
410 1 scratch = secp256k1_scratch_space_create(none, 1000);
411
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(scratch != NULL);
412
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 0);
413
414 /* Test internal API */
415
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
416
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
417
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(scratch->alloc_size == 0);
418
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(scratch->alloc_size % ALIGNMENT == 0);
419
420 /* Allocating 500 bytes succeeds */
421 1 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
422
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
423
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
424
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
425
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(scratch->alloc_size != 0);
426
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(scratch->alloc_size % ALIGNMENT == 0);
427
428 /* Allocating another 501 bytes fails */
429
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
430
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
431
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
432
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(scratch->alloc_size != 0);
433
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(scratch->alloc_size % ALIGNMENT == 0);
434
435 /* ...but it succeeds once we apply the checkpoint to undo it */
436 1 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
437
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(scratch->alloc_size == 0);
438
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
439
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
440
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(scratch->alloc_size != 0);
441
442 /* try to apply a bad checkpoint */
443 1 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
444 1 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
445
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 0);
446 1 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
447
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
448 1 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
449
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
450
451 /* try to use badly initialized scratch space */
452 1 secp256k1_scratch_space_destroy(none, scratch);
453 1 memset(&local_scratch, 0, sizeof(local_scratch));
454 1 scratch = &local_scratch;
455
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
456
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 3);
457
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
458
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 4);
459 1 secp256k1_scratch_space_destroy(none, scratch);
460
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 5);
461
462 /* Test that large integers do not wrap around in a bad way */
463 1 scratch = secp256k1_scratch_space_create(none, 1000);
464 /* Try max allocation with a large number of objects. Only makes sense if
465 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
466 * space. */
467
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
468 /* Try allocating SIZE_MAX to test wrap around which only happens if
469 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
470 * space is too small. */
471
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
472 1 secp256k1_scratch_space_destroy(none, scratch);
473
474 /* cleanup */
475 1 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
476 1 secp256k1_context_destroy(none);
477 1 }
478
479 1 void run_ctz_tests(void) {
480 1 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
481 1 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
482 1 int shift;
483 1 unsigned i;
484
2/2
✓ Branch 0 taken 4 times.
✓ Branch 1 taken 1 times.
5 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
485
2/2
✓ Branch 0 taken 128 times.
✓ Branch 1 taken 4 times.
132 for (shift = 0; shift < 32; ++shift) {
486
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 128 times.
128 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
487
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 128 times.
128 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
488 }
489 }
490
2/2
✓ Branch 0 taken 4 times.
✓ Branch 1 taken 1 times.
5 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
491
2/2
✓ Branch 0 taken 256 times.
✓ Branch 1 taken 4 times.
260 for (shift = 0; shift < 64; ++shift) {
492
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 256 times.
256 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
493
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 256 times.
256 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
494 }
495 }
496 1 }
497
498 /***** HASH TESTS *****/
499
500 1 void run_sha256_known_output_tests(void) {
501 1 static const char *inputs[] = {
502 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
503 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
504 "For this sample, this 63-byte string will be used as input data",
505 "This is exactly 64 bytes long, not counting the terminating byte",
506 "aaaaa",
507 };
508 1 static const unsigned int repeat[] = {
509 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
510 };
511 1 static const unsigned char outputs[][32] = {
512 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
513 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
514 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
515 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
516 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
517 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
518 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
519 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
520 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
521 };
522 1 unsigned int i, ninputs;
523
524 /* Skip last input vector for low iteration counts */
525 1 ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1;
526
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
527
528
2/2
✓ Branch 0 taken 9 times.
✓ Branch 1 taken 1 times.
10 for (i = 0; i < ninputs; i++) {
529 9 unsigned char out[32];
530 9 secp256k1_sha256 hasher;
531 9 unsigned int j;
532 /* 1. Run: simply write the input bytestrings */
533 9 j = repeat[i];
534 9 secp256k1_sha256_initialize(&hasher);
535
2/2
✓ Branch 0 taken 200008 times.
✓ Branch 1 taken 9 times.
200017 while (j > 0) {
536 200008 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
537 200008 j--;
538 }
539 9 secp256k1_sha256_finalize(&hasher, out);
540
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 9 times.
18 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
541 /* 2. Run: split the input bytestrings randomly before writing */
542
2/2
✓ Branch 0 taken 8 times.
✓ Branch 1 taken 1 times.
9 if (strlen(inputs[i]) > 0) {
543 8 int split = secp256k1_testrand_int(strlen(inputs[i]));
544 8 secp256k1_sha256_initialize(&hasher);
545 8 j = repeat[i];
546
2/2
✓ Branch 0 taken 200007 times.
✓ Branch 1 taken 8 times.
200015 while (j > 0) {
547 200007 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
548 200007 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
549 200007 j--;
550 }
551 8 secp256k1_sha256_finalize(&hasher, out);
552
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 8 times.
17 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
553 }
554 }
555 1 }
556
557 /** SHA256 counter tests
558
559 The tests verify that the SHA256 counter doesn't wrap around at message length
560 2^i bytes for i = 20, ..., 33. This wide range aims at being independent of the
561 implementation of the counter and it catches multiple natural 32-bit overflows
562 (e.g., counting bits, counting bytes, counting blocks, ...).
563
564 The test vectors have been generated using following Python script which relies
565 on https://github.com/cloudtools/sha256/ (v0.3 on Python v3.10.2).
566
567 ```
568 from sha256 import sha256
569 from copy import copy
570
571 def midstate_c_definition(hasher):
572 ret = ' {{0x' + hasher.state[0].hex('_', 4).replace('_', ', 0x') + '},\n'
573 ret += ' {0x00}, ' + str(hex(hasher.state[1])) + '}'
574 return ret
575
576 def output_c_literal(hasher):
577 return '{0x' + hasher.digest().hex('_').replace('_', ', 0x') + '}'
578
579 MESSAGE = b'abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno'
580 assert(len(MESSAGE) == 64)
581 BYTE_BOUNDARIES = [(2**b)//len(MESSAGE) - 1 for b in range(20, 34)]
582
583 midstates = []
584 digests = []
585 hasher = sha256()
586 for i in range(BYTE_BOUNDARIES[-1] + 1):
587 if i in BYTE_BOUNDARIES:
588 midstates.append(midstate_c_definition(hasher))
589 hasher_copy = copy(hasher)
590 hasher_copy.update(MESSAGE)
591 digests.append(output_c_literal(hasher_copy))
592 hasher.update(MESSAGE)
593
594 for x in midstates:
595 print(x + ',')
596
597 for x in digests:
598 print(x + ',')
599 ```
600 */
601 1 void run_sha256_counter_tests(void) {
602 1 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
603 1 static const secp256k1_sha256 midstates[] = {
604 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
605 {0x00}, 0xfffc0},
606 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
607 {0x00}, 0x1fffc0},
608 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
609 {0x00}, 0x3fffc0},
610 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
611 {0x00}, 0x7fffc0},
612 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
613 {0x00}, 0xffffc0},
614 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
615 {0x00}, 0x1ffffc0},
616 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
617 {0x00}, 0x3ffffc0},
618 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
619 {0x00}, 0x7ffffc0},
620 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
621 {0x00}, 0xfffffc0},
622 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
623 {0x00}, 0x1fffffc0},
624 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
625 {0x00}, 0x3fffffc0},
626 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
627 {0x00}, 0x7fffffc0},
628 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
629 {0x00}, 0xffffffc0},
630 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
631 {0x00}, 0x1ffffffc0},
632 };
633 1 static const unsigned char outputs[][32] = {
634 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
635 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
636 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
637 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
638 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
639 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
640 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
641 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
642 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
643 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
644 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
645 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
646 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
647 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
648 };
649 1 unsigned int i;
650
2/2
✓ Branch 0 taken 14 times.
✓ Branch 1 taken 1 times.
15 for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) {
651 14 unsigned char out[32];
652 14 secp256k1_sha256 hasher = midstates[i];
653 14 secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input));
654 14 secp256k1_sha256_finalize(&hasher, out);
655
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 14 times.
28 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
656 }
657 1 }
658
659 1 void run_hmac_sha256_tests(void) {
660 1 static const char *keys[6] = {
661 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
662 "\x4a\x65\x66\x65",
663 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
664 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
665 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
666 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
667 };
668 1 static const char *inputs[6] = {
669 "\x48\x69\x20\x54\x68\x65\x72\x65",
670 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
671 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
672 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
673 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
674 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
675 };
676 1 static const unsigned char outputs[6][32] = {
677 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
678 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
679 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
680 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
681 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
682 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
683 };
684 1 int i;
685
2/2
✓ Branch 0 taken 6 times.
✓ Branch 1 taken 1 times.
7 for (i = 0; i < 6; i++) {
686 6 secp256k1_hmac_sha256 hasher;
687 6 unsigned char out[32];
688 6 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
689 6 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
690 6 secp256k1_hmac_sha256_finalize(&hasher, out);
691
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 6 times.
12 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
692
1/2
✓ Branch 0 taken 6 times.
✗ Branch 1 not taken.
6 if (strlen(inputs[i]) > 0) {
693 6 int split = secp256k1_testrand_int(strlen(inputs[i]));
694 6 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
695 6 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
696 6 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
697 6 secp256k1_hmac_sha256_finalize(&hasher, out);
698
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 6 times.
12 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
699 }
700 }
701 1 }
702
703 1 void run_rfc6979_hmac_sha256_tests(void) {
704 1 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
705 1 static const unsigned char out1[3][32] = {
706 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
707 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
708 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
709 };
710
711 1 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
712 1 static const unsigned char out2[3][32] = {
713 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
714 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
715 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
716 };
717
718 1 secp256k1_rfc6979_hmac_sha256 rng;
719 1 unsigned char out[32];
720 1 int i;
721
722 1 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
723
2/2
✓ Branch 1 taken 3 times.
✓ Branch 2 taken 1 times.
5 for (i = 0; i < 3; i++) {
724 3 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
725
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 3 times.
6 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
726 }
727 1 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
728
729 1 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
730
2/2
✓ Branch 1 taken 3 times.
✓ Branch 2 taken 1 times.
5 for (i = 0; i < 3; i++) {
731 3 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
732
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 3 times.
6 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
733 }
734 1 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
735
736 1 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
737
2/2
✓ Branch 1 taken 3 times.
✓ Branch 2 taken 1 times.
5 for (i = 0; i < 3; i++) {
738 3 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
739
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 3 times.
6 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
740 }
741 1 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
742 1 }
743
744 1 void run_tagged_sha256_tests(void) {
745 1 int ecount = 0;
746 1 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
747 1 unsigned char tag[32] = { 0 };
748 1 unsigned char msg[32] = { 0 };
749 1 unsigned char hash32[32];
750 1 unsigned char hash_expected[32] = {
751 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
752 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
753 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
754 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
755 };
756
757
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
758
759 /* API test */
760
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
761
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_tagged_sha256(none, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
762
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
763
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_tagged_sha256(none, hash32, NULL, 0, msg, sizeof(msg)) == 0);
764
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
765
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), NULL, 0) == 0);
766
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 3);
767
768 /* Static test vector */
769 1 memcpy(tag, "tag", 3);
770 1 memcpy(msg, "msg", 3);
771
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_tagged_sha256(none, hash32, tag, 3, msg, 3) == 1);
772
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
773 1 secp256k1_context_destroy(none);
774 1 }
775
776 /***** RANDOM TESTS *****/
777
778 33 void test_rand_bits(int rand32, int bits) {
779 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
780 * get a false negative chance below once in a billion */
781 33 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
782 /* We try multiplying the results with various odd numbers, which shouldn't
783 * influence the uniform distribution modulo a power of 2. */
784 33 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
785 /* We only select up to 6 bits from the output to analyse */
786 33 unsigned int usebits = bits > 6 ? 6 : bits;
787 33 unsigned int maxshift = bits - usebits;
788 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
789 number, track all observed outcomes, one per bit in a uint64_t. */
790 33 uint64_t x[6][27] = {{0}};
791 33 unsigned int i, shift, m;
792 /* Multiply the output of all rand calls with the odd number m, which
793 should not change the uniformity of its distribution. */
794
2/2
✓ Branch 0 taken 38082 times.
✓ Branch 1 taken 33 times.
38115 for (i = 0; i < rounds[usebits]; i++) {
795
2/2
✓ Branch 0 taken 1316 times.
✓ Branch 1 taken 36766 times.
38082 uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
796
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 38082 times.
38082 CHECK((((uint64_t)r) >> bits) == 0);
797
2/2
✓ Branch 0 taken 228492 times.
✓ Branch 1 taken 38082 times.
266574 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
798 228492 uint32_t rm = r * mults[m];
799
2/2
✓ Branch 0 taken 3205284 times.
✓ Branch 1 taken 228492 times.
3433776 for (shift = 0; shift <= maxshift; shift++) {
800 3205284 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
801 }
802 }
803 }
804
2/2
✓ Branch 0 taken 198 times.
✓ Branch 1 taken 33 times.
231 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
805
2/2
✓ Branch 0 taken 2460 times.
✓ Branch 1 taken 198 times.
2658 for (shift = 0; shift <= maxshift; shift++) {
806 /* Test that the lower usebits bits of x[shift] are 1 */
807
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2460 times.
2460 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
808 }
809 }
810 33 }
811
812 /* Subrange must be a whole divisor of range, and at most 64 */
813 49 void test_rand_int(uint32_t range, uint32_t subrange) {
814 /* (1-1/subrange)^rounds < 1/10^9 */
815 49 int rounds = (subrange * 2073) / 100;
816 49 int i;
817 49 uint64_t x = 0;
818
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 49 times.
49 CHECK((range % subrange) == 0);
819
2/2
✓ Branch 0 taken 18403 times.
✓ Branch 1 taken 49 times.
18452 for (i = 0; i < rounds; i++) {
820 18403 uint32_t r = secp256k1_testrand_int(range);
821
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 18403 times.
18403 CHECK(r < range);
822 18403 r = r % subrange;
823 18403 x |= (((uint64_t)1) << r);
824 }
825 /* Test that the lower subrange bits of x are 1. */
826
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 49 times.
49 CHECK(((~x) << (64 - subrange)) == 0);
827 49 }
828
829 1 void run_rand_bits(void) {
830 1 size_t b;
831 1 test_rand_bits(1, 32);
832
2/2
✓ Branch 1 taken 32 times.
✓ Branch 2 taken 1 times.
34 for (b = 1; b <= 32; b++) {
833 32 test_rand_bits(0, b);
834 }
835 1 }
836
837 1 void run_rand_int(void) {
838 1 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
839 1 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
840 1 unsigned int m, s;
841
2/2
✓ Branch 0 taken 7 times.
✓ Branch 1 taken 1 times.
8 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
842
2/2
✓ Branch 0 taken 49 times.
✓ Branch 1 taken 7 times.
56 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
843 49 test_rand_int(ms[m] * ss[s], ss[s]);
844 }
845 }
846 1 }
847
848 /***** MODINV TESTS *****/
849
850 /* Compute the modular inverse of (odd) x mod 2^64. */
851 13100 uint64_t modinv2p64(uint64_t x) {
852 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
853 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
854 * why. Start with L=0, for which it is true for every odd x that
855 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
856 13100 int l;
857 13100 uint64_t w = 1;
858
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 13100 times.
13100 CHECK(x & 1);
859
2/2
✓ Branch 0 taken 78600 times.
✓ Branch 1 taken 13100 times.
91700 for (l = 0; l < 6; ++l) w *= (2 - w*x);
860 13100 return w;
861 }
862
863 /* compute out = (a*b) mod m; if b=NULL, treat b=1.
864 *
865 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
866 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
867 1033563 void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
868 1033563 uint16_t mul[32];
869 1033563 uint64_t c = 0;
870 1033563 int i, j;
871 1033563 int m_bitlen = 0;
872 1033563 int mul_bitlen = 0;
873
874
2/2
✓ Branch 0 taken 64600 times.
✓ Branch 1 taken 968963 times.
1033563 if (b != NULL) {
875 /* Compute the product of a and b, and put it in mul. */
876
2/2
✓ Branch 0 taken 2067200 times.
✓ Branch 1 taken 64600 times.
2131800 for (i = 0; i < 32; ++i) {
877
2/2
✓ Branch 0 taken 16537600 times.
✓ Branch 1 taken 2067200 times.
18604800 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
878 16537600 c += (uint64_t)a[j] * b[i - j];
879 }
880 2067200 mul[i] = c & 0xFFFF;
881 2067200 c >>= 16;
882 }
883
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64600 times.
64600 CHECK(c == 0);
884
885 /* compute the highest set bit in mul */
886
2/2
✓ Branch 0 taken 2100620 times.
✓ Branch 1 taken 269 times.
2100889 for (i = 511; i >= 0; --i) {
887
2/2
✓ Branch 0 taken 2036289 times.
✓ Branch 1 taken 64331 times.
2100620 if ((mul[i >> 4] >> (i & 15)) & 1) {
888 mul_bitlen = i;
889 break;
890 }
891 }
892 } else {
893 /* if b==NULL, set mul=a. */
894 968963 memcpy(mul, a, 32);
895 968963 memset(mul + 16, 0, 32);
896 /* compute the highest set bit in mul */
897
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 143090345 times.
143090345 for (i = 255; i >= 0; --i) {
898
2/2
✓ Branch 0 taken 142121382 times.
✓ Branch 1 taken 968963 times.
143090345 if ((mul[i >> 4] >> (i & 15)) & 1) {
899 mul_bitlen = i;
900 break;
901 }
902 }
903 }
904
905 /* Compute the highest set bit in m. */
906
1/2
✓ Branch 0 taken 145447558 times.
✗ Branch 1 not taken.
145447558 for (i = 255; i >= 0; --i) {
907
2/2
✓ Branch 0 taken 144413995 times.
✓ Branch 1 taken 1033563 times.
145447558 if ((m[i >> 4] >> (i & 15)) & 1) {
908 m_bitlen = i;
909 break;
910 }
911 }
912
913 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
914
2/2
✓ Branch 0 taken 17989440 times.
✓ Branch 1 taken 1033563 times.
19023003 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
915 uint16_t mul2[32];
916 int64_t cs;
917
918 /* Compute mul2 = mul - m<<i. */
919 cs = 0; /* accumulator */
920
2/2
✓ Branch 0 taken 575662080 times.
✓ Branch 1 taken 17989440 times.
593651520 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
921 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
922 uint16_t sub = 0;
923 int p;
924
2/2
✓ Branch 0 taken 9210593280 times.
✓ Branch 1 taken 575662080 times.
9786255360 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
925 9210593280 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
926
2/2
✓ Branch 0 taken 4605296640 times.
✓ Branch 1 taken 4605296640 times.
9210593280 if (bitpos >= 0 && bitpos < 256) {
927 4605296640 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
928 }
929 }
930 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
931 575662080 cs += mul[j];
932 575662080 cs -= sub;
933 575662080 mul2[j] = (cs & 0xFFFF);
934 575662080 cs >>= 16;
935 }
936 /* If remainder of subtraction is 0, set mul = mul2. */
937
2/2
✓ Branch 0 taken 9136091 times.
✓ Branch 1 taken 8853349 times.
17989440 if (cs == 0) {
938 9136091 memcpy(mul, mul2, sizeof(mul));
939 }
940 }
941 /* Sanity check: test that all limbs higher than m's highest are zero */
942
2/2
✓ Branch 0 taken 25098389 times.
✓ Branch 1 taken 1033563 times.
26131952 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
943
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 25098389 times.
25098389 CHECK(mul[i] == 0);
944 }
945 1033563 memcpy(out, mul, 32);
946 1033563 }
947
948 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
949 13100 void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
950 13100 int i;
951 13100 memset(out->v, 0, sizeof(out->v));
952
2/2
✓ Branch 0 taken 3353600 times.
✓ Branch 1 taken 13100 times.
3366700 for (i = 0; i < 256; ++i) {
953 3353600 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
954 }
955 13100 }
956
957 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
958 26200 void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
959 26200 int i;
960 26200 memset(out, 0, 32);
961
2/2
✓ Branch 0 taken 6707200 times.
✓ Branch 1 taken 26200 times.
6733400 for (i = 0; i < 256; ++i) {
962 6707200 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
963 }
964 26200 }
965
966 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
967 6550 void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
968 6550 int i;
969
2/2
✓ Branch 0 taken 104800 times.
✓ Branch 1 taken 6550 times.
111350 for (i = 0; i < 16; ++i) {
970 104800 int pos = secp256k1_testrand_bits(3);
971
3/4
✓ Branch 0 taken 43995 times.
✓ Branch 1 taken 60805 times.
✓ Branch 2 taken 43995 times.
✗ Branch 3 not taken.
104800 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
972 43995 x->v[pos] -= 0x40000000;
973 43995 x->v[pos + 1] += 1;
974
4/4
✓ Branch 0 taken 44511 times.
✓ Branch 1 taken 16294 times.
✓ Branch 2 taken 2239 times.
✓ Branch 3 taken 42272 times.
60805 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
975 2239 x->v[pos] += 0x40000000;
976 2239 x->v[pos + 1] -= 1;
977 }
978 }
979 6550 }
980
981 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
982 6550 void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
983 6550 uint16_t tmp[16];
984 6550 secp256k1_modinv32_signed30 x;
985 6550 secp256k1_modinv32_modinfo m;
986 6550 int i, vartime, nonzero;
987
988 6550 uint16_to_signed30(&x, in);
989 6550 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
990 6550 uint16_to_signed30(&m.modulus, mod);
991 6550 mutate_sign_signed30(&m.modulus);
992
993 /* compute 1/modulus mod 2^30 */
994 6550 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
995
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 6550 times.
6550 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
996
997
2/2
✓ Branch 0 taken 13100 times.
✓ Branch 1 taken 6550 times.
19650 for (vartime = 0; vartime < 2; ++vartime) {
998 /* compute inverse */
999
2/2
✓ Branch 0 taken 6550 times.
✓ Branch 1 taken 6550 times.
19650 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1000
1001 /* produce output */
1002 13100 signed30_to_uint16(out, &x);
1003
1004 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1005 13100 mulmod256(tmp, out, in, mod);
1006
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 13100 times.
13100 CHECK(tmp[0] == nonzero);
1007
3/4
✗ Branch 0 not taken.
✓ Branch 1 taken 196500 times.
✓ Branch 4 taken 196500 times.
✓ Branch 5 taken 13100 times.
209600 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1008
1009 /* invert again */
1010 13100 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1011
1012 /* check if the result is equal to the input */
1013 13100 signed30_to_uint16(tmp, &x);
1014
3/4
✗ Branch 1 not taken.
✓ Branch 2 taken 209600 times.
✓ Branch 5 taken 209600 times.
✓ Branch 6 taken 13100 times.
235800 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1015 }
1016 6550 }
1017
1018 #ifdef SECP256K1_WIDEMUL_INT128
1019 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1020 13100 void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1021 13100 int i;
1022 13100 memset(out->v, 0, sizeof(out->v));
1023
2/2
✓ Branch 0 taken 3353600 times.
✓ Branch 1 taken 13100 times.
3366700 for (i = 0; i < 256; ++i) {
1024 3353600 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1025 }
1026 13100 }
1027
1028 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1029 26200 void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1030 26200 int i;
1031 26200 memset(out, 0, 32);
1032
2/2
✓ Branch 0 taken 6707200 times.
✓ Branch 1 taken 26200 times.
6733400 for (i = 0; i < 256; ++i) {
1033 6707200 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1034 }
1035 26200 }
1036
1037 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1038 6550 void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1039 6550 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1040 6550 int i;
1041
2/2
✓ Branch 0 taken 52400 times.
✓ Branch 1 taken 6550 times.
58950 for (i = 0; i < 8; ++i) {
1042 52400 int pos = secp256k1_testrand_bits(2);
1043
3/4
✓ Branch 0 taken 31676 times.
✓ Branch 1 taken 20724 times.
✓ Branch 2 taken 31676 times.
✗ Branch 3 not taken.
52400 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1044 31676 x->v[pos] -= (M62 + 1);
1045 31676 x->v[pos + 1] += 1;
1046
3/4
✓ Branch 0 taken 18610 times.
✓ Branch 1 taken 2114 times.
✓ Branch 2 taken 18610 times.
✗ Branch 3 not taken.
20724 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1047 18610 x->v[pos] += (M62 + 1);
1048 18610 x->v[pos + 1] -= 1;
1049 }
1050 }
1051 6550 }
1052
1053 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1054 6550 void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1055 6550 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1056 6550 uint16_t tmp[16];
1057 6550 secp256k1_modinv64_signed62 x;
1058 6550 secp256k1_modinv64_modinfo m;
1059 6550 int i, vartime, nonzero;
1060
1061 6550 uint16_to_signed62(&x, in);
1062 6550 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1063 6550 uint16_to_signed62(&m.modulus, mod);
1064 6550 mutate_sign_signed62(&m.modulus);
1065
1066 /* compute 1/modulus mod 2^62 */
1067 6550 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1068
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 6550 times.
6550 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1069
1070
2/2
✓ Branch 0 taken 13100 times.
✓ Branch 1 taken 6550 times.
19650 for (vartime = 0; vartime < 2; ++vartime) {
1071 /* compute inverse */
1072
2/2
✓ Branch 0 taken 6550 times.
✓ Branch 1 taken 6550 times.
19650 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1073
1074 /* produce output */
1075 13100 signed62_to_uint16(out, &x);
1076
1077 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1078 13100 mulmod256(tmp, out, in, mod);
1079
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 13100 times.
13100 CHECK(tmp[0] == nonzero);
1080
3/4
✗ Branch 0 not taken.
✓ Branch 1 taken 196500 times.
✓ Branch 4 taken 196500 times.
✓ Branch 5 taken 13100 times.
209600 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1081
1082 /* invert again */
1083 13100 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1084
1085 /* check if the result is equal to the input */
1086 13100 signed62_to_uint16(tmp, &x);
1087
3/4
✗ Branch 1 not taken.
✓ Branch 2 taken 209600 times.
✓ Branch 5 taken 209600 times.
✓ Branch 6 taken 13100 times.
235800 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1088 }
1089 6550 }
1090 #endif
1091
1092 /* test if a and b are coprime */
1093 7945 int coprime(const uint16_t* a, const uint16_t* b) {
1094 7945 uint16_t x[16], y[16], t[16];
1095 7945 int i;
1096 7945 int iszero;
1097 7945 memcpy(x, a, 32);
1098 7945 memcpy(y, b, 32);
1099
1100 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1101 1929981 while (1) {
1102 968963 iszero = 1;
1103
2/2
✓ Branch 0 taken 1092284 times.
✓ Branch 1 taken 7945 times.
1100229 for (i = 0; i < 16; ++i) {
1104
2/2
✓ Branch 0 taken 131266 times.
✓ Branch 1 taken 961018 times.
1092284 if (x[i] != 0) {
1105 iszero = 0;
1106 break;
1107 }
1108 }
1109
2/2
✓ Branch 0 taken 961018 times.
✓ Branch 1 taken 7945 times.
968963 if (iszero) break;
1110 961018 mulmod256(t, y, NULL, x);
1111 961018 memcpy(y, x, 32);
1112 961018 memcpy(x, t, 32);
1113 }
1114
1115 /* return whether y=1 */
1116
2/2
✓ Branch 0 taken 6400 times.
✓ Branch 1 taken 1545 times.
7945 if (y[0] != 1) return 0;
1117
2/2
✓ Branch 0 taken 96000 times.
✓ Branch 1 taken 6400 times.
102400 for (i = 1; i < 16; ++i) {
1118
1/2
✓ Branch 0 taken 96000 times.
✗ Branch 1 not taken.
96000 if (y[i] != 0) return 0;
1119 }
1120 return 1;
1121 }
1122
1123 1 void run_modinv_tests(void) {
1124 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1125 1 static const uint16_t CASES[][3][16] = {
1126 /* Test cases triggering edge cases in divsteps */
1127
1128 /* Test case known to need 713 divsteps */
1129 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1130 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1131 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1132 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1133 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1134 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1135 /* Test case known to need 589 divsteps, reaching delta=-140 and
1136 delta=141. */
1137 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1138 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1139 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1140 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1141 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1142 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1143 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1144 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1145 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1146 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1147 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1148 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1149 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1150 /* example needing 713 divsteps; delta=-2..3 */
1151 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1152 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1153 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1154 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1155 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1156 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1157 /* example needing 713 divsteps; delta=-2..3 */
1158 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1159 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1160 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1161 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1162 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1163 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1164 /* example needing 713 divsteps; delta=-2..3 */
1165 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1166 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1167 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1168 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1169 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1170 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1171 /* example reaching delta=-64..65; 661 divsteps */
1172 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1173 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1174 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1175 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1176 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1177 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1178 /* example reaching delta=-64..65; 661 divsteps */
1179 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1180 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1181 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1182 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1183 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1184 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1185 /* example reaching delta=-64..65; 661 divsteps */
1186 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1187 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1188 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1189 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1190 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1191 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1192 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1193 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1194 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1195 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1196 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1197 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1198 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1199 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1200 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1201 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1202 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1203 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1204 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1205 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1206 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1207 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1208 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1209 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1210 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1211 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1212 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1213 /* example doing 446 (f,g/2) steps; 523 divsteps */
1214 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1215 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1216 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1217 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1218 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1219 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1220 /* example doing 446 (f,g/2) steps; 523 divsteps */
1221 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1222 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1223 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1224 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1225 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1226 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1227 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1228 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1229 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1230 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1231 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1232 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1233 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1234 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1235 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1236 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1237 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1238 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1239 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1240 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1241 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1242 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1243 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1244 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1245 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1246 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1247 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1248 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1249 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1250 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1251 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1252 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1253 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1254 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1255
1256 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1257
1258 /* example needing 590 divsteps; delta=-5/2..7/2 */
1259 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1260 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1261 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1262 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1263 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1264 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1265 /* example needing 590 divsteps; delta=-3/2..5/2 */
1266 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1267 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1268 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1269 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1270 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1271 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1272 /* example needing 590 divsteps; delta=-3/2..5/2 */
1273 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1274 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1275 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1276 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1277 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1278 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1279 /* example needing 590 divsteps; delta=-5/2..7/2 */
1280 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1281 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1282 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1283 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1284 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1285 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1286 /* example needing 590 divsteps; delta=-3/2..5/2 */
1287 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1288 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1289 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1290 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1291 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1292 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1293 /* example reaching delta=-127/2..129/2; 571 divsteps */
1294 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1295 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1296 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1297 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1298 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1299 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1300 /* example reaching delta=-127/2..129/2; 571 divsteps */
1301 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1302 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1303 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1304 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1305 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1306 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1307 /* example reaching delta=-127/2..129/2; 571 divsteps */
1308 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1309 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1310 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1311 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1312 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1313 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1314 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1315 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1316 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1317 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1318 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1319 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1320 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1321 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1322 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1323 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1324 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1325 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1326 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1327 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1328 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1329 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1330 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1331 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1332 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1333 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1334 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1335 /* example doing 453 (f,g/2) steps; 514 divsteps */
1336 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1337 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1338 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1339 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1340 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1341 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1342 /* example doing 453 (f,g/2) steps; 514 divsteps */
1343 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1344 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1345 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1346 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1347 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1348 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1349 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1350 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1351 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1352 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1353 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1354 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1355 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1356 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1357 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1358 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1359 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1360 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1361 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1362 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1363 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1364 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1365 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1366 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1367 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1368 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1369 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1370 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1371 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1372 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1373 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1374 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1375 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1376 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1377
1378 /* Test cases with the group order as modulus. */
1379
1380 /* Test case with the group order as modulus, needing 635 divsteps. */
1381 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1382 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1383 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1384 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1385 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1386 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1387 /* example with group size as modulus needing 631 divsteps */
1388 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1389 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1390 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1391 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1392 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1393 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1394 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1395 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1396 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1397 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1398 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1399 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1400 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1401 /* Test case with the group size as modulus, needing 981 divsteps with
1402 broken eta handling. */
1403 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1404 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1405 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1406 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1407 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1408 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1409 /* Test case with the group size as modulus, input = 0. */
1410 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1411 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1412 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1413 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1414 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1415 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1416 /* Test case with the group size as modulus, input = 1. */
1417 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1418 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1419 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1420 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1421 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1422 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1423 /* Test case with the group size as modulus, input = 2. */
1424 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1425 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1426 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1427 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1428 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1429 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1430 /* Test case with the group size as modulus, input = group - 1. */
1431 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1432 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1433 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1434 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1435 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1436 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1437
1438 /* Test cases with the field size as modulus. */
1439
1440 /* Test case with the field size as modulus, needing 637 divsteps. */
1441 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1442 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1443 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1444 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1445 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1446 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1447 /* example with field size as modulus needing 637 divsteps */
1448 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1449 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1450 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1451 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1452 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1453 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1454 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1455 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1456 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1457 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1458 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1459 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1460 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1461 /* Test case with the field size as modulus, needing 935 divsteps with
1462 broken eta handling. */
1463 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1464 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1465 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1466 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1467 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1468 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1469 /* Test case with the field size as modulus, input = 0. */
1470 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1471 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1472 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1473 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1474 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1475 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1476 /* Test case with the field size as modulus, input = 1. */
1477 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1478 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1479 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1480 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1481 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1482 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1483 /* Test case with the field size as modulus, input = 2. */
1484 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1485 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1486 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1487 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1488 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1489 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1490 /* Test case with the field size as modulus, input = field - 1. */
1491 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1492 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1493 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1494 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1495 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1496 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1497
1498 /* Selected from a large number of random inputs to reach small/large
1499 * d/e values in various configurations. */
1500 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1501 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1502 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1503 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1504 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1505 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1506 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1507 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1508 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1509 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1510 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1511 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1512 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1513 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1514 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1515 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1516 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1517 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1518 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1519 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1520 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1521 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1522 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1523 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1524 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1525 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1526 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1527 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1528 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1529 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1530 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1531 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1532 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1533 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1534 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1535 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1536 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1537 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1538 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1539 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1540 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1541 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1542 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1543 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1544 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1545 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1546 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1547 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1548 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1549 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1550 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1551 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1552 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1553 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1554 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1555 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1556 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1557 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1558 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1559 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1560 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1561 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1562 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1563 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1564 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1565 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1566 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1567 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1568 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1569 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1570 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1571 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1572 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1573 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1574 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1575 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1576 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1577 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1578 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1579 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1580 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1581 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1582 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1583 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1584 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1585 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1586 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1587 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1588 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1589 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1590 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1591 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1592 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1593 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1594 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1595 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1596 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1597 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1598 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1599 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1600 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1601 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1602 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1603 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1604 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1605 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1606 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1607 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1608 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1609 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1610 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1611 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1612 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1613 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1614 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1615 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1616 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1617 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1618 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1619 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1620 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1621 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1622 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1623 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1624 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1625 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1626 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1627 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1628 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1629 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1630 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1631 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1632 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1633 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1634 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1635 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1636 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1637 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1638 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1639 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1640 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1641 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1642 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1643 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1644 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1645 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1646 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1647 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1648 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1649 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1650 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1651 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1652 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1653 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1654 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1655 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1656 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1657 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1658 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1659 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1660 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1661 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1662 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1663 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1664 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1665 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1666 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1667 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1668 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1669 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1670 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1671 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1672 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1673 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1674 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1675 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1676 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1677 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1678 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1679 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1680 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1681 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1682 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1683 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1684 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1685 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1686 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1687 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1688 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1689 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1690 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1691 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1692 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1693 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1694 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1695 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1696 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1697 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1698 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1699 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1700 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1701 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1702 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1703 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1704 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1705 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1706 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1707 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1708 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1709 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1710 };
1711
1712 1 int i, j, ok;
1713
1714 /* Test known inputs/outputs */
1715
2/2
✓ Branch 0 taken 86 times.
✓ Branch 1 taken 1 times.
87 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1716 86 uint16_t out[16];
1717 86 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1718
3/4
✗ Branch 1 not taken.
✓ Branch 2 taken 1376 times.
✓ Branch 5 taken 1376 times.
✓ Branch 6 taken 86 times.
1548 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1719 #ifdef SECP256K1_WIDEMUL_INT128
1720 86 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1721
3/4
✗ Branch 1 not taken.
✓ Branch 2 taken 1376 times.
✓ Branch 5 taken 1376 times.
✓ Branch 6 taken 86 times.
1548 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1722 #endif
1723 }
1724
1725
2/2
✓ Branch 0 taken 6400 times.
✓ Branch 1 taken 1 times.
6401 for (i = 0; i < 100 * count; ++i) {
1726 /* 256-bit numbers in 16-uint16_t's notation */
1727 7945 static const uint16_t ZERO[16] = {0};
1728 7945 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1729 7945 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1730 7945 uint16_t id[16]; /* the inverse of xd mod md */
1731
1732 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1733 7945 do {
1734 /* generate random xd and md (with many subsequent 0s and 1s) */
1735 7945 secp256k1_testrand256_test((unsigned char*)xd);
1736 7945 secp256k1_testrand256_test((unsigned char*)md);
1737 7945 md[0] |= 1; /* modulus must be odd */
1738 /* If modulus is 1, find another one. */
1739 7945 ok = md[0] != 1;
1740
2/2
✓ Branch 0 taken 119175 times.
✓ Branch 1 taken 7945 times.
127120 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1741 7945 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1742
3/4
✗ Branch 0 not taken.
✓ Branch 1 taken 7945 times.
✓ Branch 3 taken 1545 times.
✓ Branch 4 taken 6400 times.
7945 } while (!(ok && coprime(xd, md)));
1743
1744 6400 test_modinv32_uint16(id, xd, md);
1745 #ifdef SECP256K1_WIDEMUL_INT128
1746 6400 test_modinv64_uint16(id, xd, md);
1747 #endif
1748
1749 /* In a few cases, also test with input=0 */
1750
2/2
✓ Branch 0 taken 64 times.
✓ Branch 1 taken 6336 times.
6400 if (i < count) {
1751 64 test_modinv32_uint16(id, ZERO, md);
1752 #ifdef SECP256K1_WIDEMUL_INT128
1753 64 test_modinv64_uint16(id, ZERO, md);
1754 #endif
1755 }
1756 }
1757 1 }
1758
1759 /***** SCALAR TESTS *****/
1760
1761
1762 8192 void scalar_test(void) {
1763 8192 secp256k1_scalar s;
1764 8192 secp256k1_scalar s1;
1765 8192 secp256k1_scalar s2;
1766 8192 unsigned char c[32];
1767
1768 /* Set 's' to a random scalar, with value 'snum'. */
1769 8192 random_scalar_order_test(&s);
1770
1771 /* Set 's1' to a random scalar, with value 's1num'. */
1772 8192 random_scalar_order_test(&s1);
1773
1774 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1775 8192 random_scalar_order_test(&s2);
1776 8192 secp256k1_scalar_get_b32(c, &s2);
1777
1778 {
1779 8192 int i;
1780 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1781 8192 secp256k1_scalar n;
1782 8192 secp256k1_scalar_set_int(&n, 0);
1783
2/2
✓ Branch 0 taken 524288 times.
✓ Branch 1 taken 8192 times.
532480 for (i = 0; i < 256; i += 4) {
1784 524288 secp256k1_scalar t;
1785 524288 int j;
1786 524288 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
1787
2/2
✓ Branch 0 taken 2097152 times.
✓ Branch 1 taken 524288 times.
2621440 for (j = 0; j < 4; j++) {
1788 2097152 secp256k1_scalar_add(&n, &n, &n);
1789 }
1790 524288 secp256k1_scalar_add(&n, &n, &t);
1791 }
1792
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
8192 CHECK(secp256k1_scalar_eq(&n, &s));
1793 }
1794
1795 {
1796 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1797 8192 secp256k1_scalar n;
1798 8192 int i = 0;
1799 8192 secp256k1_scalar_set_int(&n, 0);
1800
2/2
✓ Branch 0 taken 266759 times.
✓ Branch 1 taken 8192 times.
274951 while (i < 256) {
1801 266759 secp256k1_scalar t;
1802 266759 int j;
1803 266759 int now = secp256k1_testrand_int(15) + 1;
1804
2/2
✓ Branch 0 taken 7220 times.
✓ Branch 1 taken 259539 times.
266759 if (now + i > 256) {
1805 7220 now = 256 - i;
1806 }
1807 266759 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
1808
2/2
✓ Branch 0 taken 2097152 times.
✓ Branch 1 taken 266759 times.
2363911 for (j = 0; j < now; j++) {
1809 2097152 secp256k1_scalar_add(&n, &n, &n);
1810 }
1811 266759 secp256k1_scalar_add(&n, &n, &t);
1812 266759 i += now;
1813 }
1814
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
8192 CHECK(secp256k1_scalar_eq(&n, &s));
1815 }
1816
1817 {
1818 /* test secp256k1_scalar_shr_int */
1819 8192 secp256k1_scalar r;
1820 8192 int i;
1821 8192 random_scalar_order_test(&r);
1822
2/2
✓ Branch 1 taken 819200 times.
✓ Branch 2 taken 8192 times.
835584 for (i = 0; i < 100; ++i) {
1823 819200 int low;
1824 819200 int shift = 1 + secp256k1_testrand_int(15);
1825 819200 int expected = r.d[0] % (1 << shift);
1826 819200 low = secp256k1_scalar_shr_int(&r, shift);
1827
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 819200 times.
819200 CHECK(expected == low);
1828 }
1829 }
1830
1831 {
1832 /* Test commutativity of add. */
1833 8192 secp256k1_scalar r1, r2;
1834 8192 secp256k1_scalar_add(&r1, &s1, &s2);
1835 8192 secp256k1_scalar_add(&r2, &s2, &s1);
1836
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
8192 CHECK(secp256k1_scalar_eq(&r1, &r2));
1837 }
1838
1839 {
1840 8192 secp256k1_scalar r1, r2;
1841 8192 secp256k1_scalar b;
1842 8192 int i;
1843 /* Test add_bit. */
1844 8192 int bit = secp256k1_testrand_bits(8);
1845 8192 secp256k1_scalar_set_int(&b, 1);
1846 8192 CHECK(secp256k1_scalar_is_one(&b));
1847
2/2
✓ Branch 0 taken 1043532 times.
✓ Branch 1 taken 8192 times.
1051724 for (i = 0; i < bit; i++) {
1848 1043532 secp256k1_scalar_add(&b, &b, &b);
1849 }
1850 8192 r1 = s1;
1851 8192 r2 = s1;
1852
2/2
✓ Branch 1 taken 7701 times.
✓ Branch 2 taken 491 times.
8192 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1853 /* No overflow happened. */
1854 7701 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1855
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 7701 times.
7701 CHECK(secp256k1_scalar_eq(&r1, &r2));
1856 /* cadd is a noop when flag is zero */
1857 7701 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1858
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 7701 times.
7701 CHECK(secp256k1_scalar_eq(&r1, &r2));
1859 }
1860 }
1861
1862 {
1863 /* Test commutativity of mul. */
1864 8192 secp256k1_scalar r1, r2;
1865 8192 secp256k1_scalar_mul(&r1, &s1, &s2);
1866 8192 secp256k1_scalar_mul(&r2, &s2, &s1);
1867
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
8192 CHECK(secp256k1_scalar_eq(&r1, &r2));
1868 }
1869
1870 {
1871 /* Test associativity of add. */
1872 8192 secp256k1_scalar r1, r2;
1873 8192 secp256k1_scalar_add(&r1, &s1, &s2);
1874 8192 secp256k1_scalar_add(&r1, &r1, &s);
1875 8192 secp256k1_scalar_add(&r2, &s2, &s);
1876 8192 secp256k1_scalar_add(&r2, &s1, &r2);
1877
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
8192 CHECK(secp256k1_scalar_eq(&r1, &r2));
1878 }
1879
1880 {
1881 /* Test associativity of mul. */
1882 8192 secp256k1_scalar r1, r2;
1883 8192 secp256k1_scalar_mul(&r1, &s1, &s2);
1884 8192 secp256k1_scalar_mul(&r1, &r1, &s);
1885 8192 secp256k1_scalar_mul(&r2, &s2, &s);
1886 8192 secp256k1_scalar_mul(&r2, &s1, &r2);
1887
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
8192 CHECK(secp256k1_scalar_eq(&r1, &r2));
1888 }
1889
1890 {
1891 /* Test distributitivity of mul over add. */
1892 8192 secp256k1_scalar r1, r2, t;
1893 8192 secp256k1_scalar_add(&r1, &s1, &s2);
1894 8192 secp256k1_scalar_mul(&r1, &r1, &s);
1895 8192 secp256k1_scalar_mul(&r2, &s1, &s);
1896 8192 secp256k1_scalar_mul(&t, &s2, &s);
1897 8192 secp256k1_scalar_add(&r2, &r2, &t);
1898
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
8192 CHECK(secp256k1_scalar_eq(&r1, &r2));
1899 }
1900
1901 {
1902 /* Test square. */
1903 8192 secp256k1_scalar r1, r2;
1904 8192 secp256k1_scalar_sqr(&r1, &s1);
1905 8192 secp256k1_scalar_mul(&r2, &s1, &s1);
1906
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
8192 CHECK(secp256k1_scalar_eq(&r1, &r2));
1907 }
1908
1909 {
1910 /* Test multiplicative identity. */
1911 8192 secp256k1_scalar r1, v1;
1912 8192 secp256k1_scalar_set_int(&v1,1);
1913 8192 secp256k1_scalar_mul(&r1, &s1, &v1);
1914
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
8192 CHECK(secp256k1_scalar_eq(&r1, &s1));
1915 }
1916
1917 {
1918 /* Test additive identity. */
1919 8192 secp256k1_scalar r1, v0;
1920 8192 secp256k1_scalar_set_int(&v0,0);
1921 8192 secp256k1_scalar_add(&r1, &s1, &v0);
1922
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
8192 CHECK(secp256k1_scalar_eq(&r1, &s1));
1923 }
1924
1925 {
1926 /* Test zero product property. */
1927 8192 secp256k1_scalar r1, v0;
1928 8192 secp256k1_scalar_set_int(&v0,0);
1929 8192 secp256k1_scalar_mul(&r1, &s1, &v0);
1930
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 8192 times.
8192 CHECK(secp256k1_scalar_eq(&r1, &v0));
1931 }
1932
1933 8192 }
1934
1935 64 void run_scalar_set_b32_seckey_tests(void) {
1936 64 unsigned char b32[32];
1937 64 secp256k1_scalar s1;
1938 64 secp256k1_scalar s2;
1939
1940 /* Usually set_b32 and set_b32_seckey give the same result */
1941 64 random_scalar_order_b32(b32);
1942 64 secp256k1_scalar_set_b32(&s1, b32, NULL);
1943
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 64 times.
64 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1944
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64 times.
64 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1945
1946 64 memset(b32, 0, sizeof(b32));
1947
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 64 times.
64 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1948 64 memset(b32, 0xFF, sizeof(b32));
1949
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 64 times.
64 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1950 64 }
1951
1952 1 void scalar_chacha_tests(void) {
1953 /* Test vectors 1 to 4 from https://tools.ietf.org/html/rfc8439#appendix-A
1954 * Note that scalar_set_b32 and scalar_get_b32 represent integers
1955 * underlying the scalar in big-endian format. */
1956 1 unsigned char expected1[64] = {
1957 0xad, 0xe0, 0xb8, 0x76, 0x90, 0x3d, 0xf1, 0xa0,
1958 0xe5, 0x6a, 0x5d, 0x40, 0x28, 0xbd, 0x86, 0x53,
1959 0xb8, 0x19, 0xd2, 0xbd, 0x1a, 0xed, 0x8d, 0xa0,
1960 0xcc, 0xef, 0x36, 0xa8, 0xc7, 0x0d, 0x77, 0x8b,
1961 0x7c, 0x59, 0x41, 0xda, 0x8d, 0x48, 0x57, 0x51,
1962 0x3f, 0xe0, 0x24, 0x77, 0x37, 0x4a, 0xd8, 0xb8,
1963 0xf4, 0xb8, 0x43, 0x6a, 0x1c, 0xa1, 0x18, 0x15,
1964 0x69, 0xb6, 0x87, 0xc3, 0x86, 0x65, 0xee, 0xb2
1965 };
1966 1 unsigned char expected2[64] = {
1967 0xbe, 0xe7, 0x07, 0x9f, 0x7a, 0x38, 0x51, 0x55,
1968 0x7c, 0x97, 0xba, 0x98, 0x0d, 0x08, 0x2d, 0x73,
1969 0xa0, 0x29, 0x0f, 0xcb, 0x69, 0x65, 0xe3, 0x48,
1970 0x3e, 0x53, 0xc6, 0x12, 0xed, 0x7a, 0xee, 0x32,
1971 0x76, 0x21, 0xb7, 0x29, 0x43, 0x4e, 0xe6, 0x9c,
1972 0xb0, 0x33, 0x71, 0xd5, 0xd5, 0x39, 0xd8, 0x74,
1973 0x28, 0x1f, 0xed, 0x31, 0x45, 0xfb, 0x0a, 0x51,
1974 0x1f, 0x0a, 0xe1, 0xac, 0x6f, 0x4d, 0x79, 0x4b
1975 };
1976 1 unsigned char seed3[32] = {
1977 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1978 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1979 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1980 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
1981 };
1982 1 unsigned char expected3[64] = {
1983 0x24, 0x52, 0xeb, 0x3a, 0x92, 0x49, 0xf8, 0xec,
1984 0x8d, 0x82, 0x9d, 0x9b, 0xdd, 0xd4, 0xce, 0xb1,
1985 0xe8, 0x25, 0x20, 0x83, 0x60, 0x81, 0x8b, 0x01,
1986 0xf3, 0x84, 0x22, 0xb8, 0x5a, 0xaa, 0x49, 0xc9,
1987 0xbb, 0x00, 0xca, 0x8e, 0xda, 0x3b, 0xa7, 0xb4,
1988 0xc4, 0xb5, 0x92, 0xd1, 0xfd, 0xf2, 0x73, 0x2f,
1989 0x44, 0x36, 0x27, 0x4e, 0x25, 0x61, 0xb3, 0xc8,
1990 0xeb, 0xdd, 0x4a, 0xa6, 0xa0, 0x13, 0x6c, 0x00
1991 };
1992 1 unsigned char seed4[32] = {
1993 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1994 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1995 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1996 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
1997 };
1998 1 unsigned char expected4[64] = {
1999 0xfb, 0x4d, 0xd5, 0x72, 0x4b, 0xc4, 0x2e, 0xf1,
2000 0xdf, 0x92, 0x26, 0x36, 0x32, 0x7f, 0x13, 0x94,
2001 0xa7, 0x8d, 0xea, 0x8f, 0x5e, 0x26, 0x90, 0x39,
2002 0xa1, 0xbe, 0xbb, 0xc1, 0xca, 0xf0, 0x9a, 0xae,
2003 0xa2, 0x5a, 0xb2, 0x13, 0x48, 0xa6, 0xb4, 0x6c,
2004 0x1b, 0x9d, 0x9b, 0xcb, 0x09, 0x2c, 0x5b, 0xe6,
2005 0x54, 0x6c, 0xa6, 0x24, 0x1b, 0xec, 0x45, 0xd5,
2006 0x87, 0xf4, 0x74, 0x73, 0x96, 0xf0, 0x99, 0x2e
2007 };
2008 1 unsigned char seed5[32] = {
2009 0x32, 0x56, 0x56, 0xf4, 0x29, 0x02, 0xc2, 0xf8,
2010 0xa3, 0x4b, 0x96, 0xf5, 0xa7, 0xf7, 0xe3, 0x6c,
2011 0x92, 0xad, 0xa5, 0x18, 0x1c, 0xe3, 0x41, 0xae,
2012 0xc3, 0xf3, 0x18, 0xd0, 0xfa, 0x5b, 0x72, 0x53
2013 };
2014 1 unsigned char expected5[64] = {
2015 0xe7, 0x56, 0xd3, 0x28, 0xe9, 0xc6, 0x19, 0x5c,
2016 0x6f, 0x17, 0x8e, 0x21, 0x8c, 0x1e, 0x72, 0x11,
2017 0xe7, 0xbd, 0x17, 0x0d, 0xac, 0x14, 0xad, 0xe9,
2018 0x3d, 0x9f, 0xb6, 0x92, 0xd6, 0x09, 0x20, 0xfb,
2019 0x43, 0x8e, 0x3b, 0x6d, 0xe3, 0x33, 0xdc, 0xc7,
2020 0x6c, 0x07, 0x6f, 0xbb, 0x1f, 0xb4, 0xc8, 0xb5,
2021 0xe3, 0x6c, 0xe5, 0x12, 0xd9, 0xd7, 0x64, 0x0c,
2022 0xf5, 0xa7, 0x0d, 0xab, 0x79, 0x03, 0xf1, 0x81
2023 };
2024
2025 1 secp256k1_scalar exp_r1, exp_r2;
2026 1 secp256k1_scalar r1, r2;
2027 1 unsigned char seed0[32] = { 0 };
2028
2029 1 secp256k1_scalar_chacha20(&r1, &r2, seed0, 0);
2030 1 secp256k1_scalar_set_b32(&exp_r1, &expected1[0], NULL);
2031 1 secp256k1_scalar_set_b32(&exp_r2, &expected1[32], NULL);
2032
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_eq(&exp_r1, &r1));
2033
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_eq(&exp_r2, &r2));
2034
2035 1 secp256k1_scalar_chacha20(&r1, &r2, seed0, 1);
2036 1 secp256k1_scalar_set_b32(&exp_r1, &expected2[0], NULL);
2037 1 secp256k1_scalar_set_b32(&exp_r2, &expected2[32], NULL);
2038
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_eq(&exp_r1, &r1));
2039
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_eq(&exp_r2, &r2));
2040
2041 1 secp256k1_scalar_chacha20(&r1, &r2, seed3, 1);
2042 1 secp256k1_scalar_set_b32(&exp_r1, &expected3[0], NULL);
2043 1 secp256k1_scalar_set_b32(&exp_r2, &expected3[32], NULL);
2044
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_eq(&exp_r1, &r1));
2045
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_eq(&exp_r2, &r2));
2046
2047 1 secp256k1_scalar_chacha20(&r1, &r2, seed4, 2);
2048 1 secp256k1_scalar_set_b32(&exp_r1, &expected4[0], NULL);
2049 1 secp256k1_scalar_set_b32(&exp_r2, &expected4[32], NULL);
2050
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_eq(&exp_r1, &r1));
2051
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_eq(&exp_r2, &r2));
2052
2053 1 secp256k1_scalar_chacha20(&r1, &r2, seed5, 0x6ff8602a7a78e2f2ULL);
2054 1 secp256k1_scalar_set_b32(&exp_r1, &expected5[0], NULL);
2055 1 secp256k1_scalar_set_b32(&exp_r2, &expected5[32], NULL);
2056
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_eq(&exp_r1, &r1));
2057
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_eq(&exp_r2, &r2));
2058 1 }
2059
2060 1 void run_scalar_tests(void) {
2061 1 int i;
2062
2/2
✓ Branch 0 taken 8192 times.
✓ Branch 1 taken 1 times.
8193 for (i = 0; i < 128 * count; i++) {
2063 8192 scalar_test();
2064 }
2065
2/2
✓ Branch 0 taken 64 times.
✓ Branch 1 taken 1 times.
65 for (i = 0; i < count; i++) {
2066 64 run_scalar_set_b32_seckey_tests();
2067 }
2068
2069 1 scalar_chacha_tests();
2070
2071 {
2072 /* (-1)+1 should be zero. */
2073 1 secp256k1_scalar s, o;
2074 1 secp256k1_scalar_set_int(&s, 1);
2075 1 CHECK(secp256k1_scalar_is_one(&s));
2076 1 secp256k1_scalar_negate(&o, &s);
2077 1 secp256k1_scalar_add(&o, &o, &s);
2078
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_is_zero(&o));
2079 1 secp256k1_scalar_negate(&o, &o);
2080
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_is_zero(&o));
2081 }
2082
2083 {
2084 /* Does check_overflow check catch all ones? */
2085 1 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
2086 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2087 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2088 );
2089
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_check_overflow(&overflowed));
2090 }
2091
2092 {
2093 /* Static test vectors.
2094 * These were reduced from ~10^12 random vectors based on comparison-decision
2095 * and edge-case coverage on 32-bit and 64-bit implementations.
2096 * The responses were generated with Sage 5.9.
2097 */
2098 1 secp256k1_scalar x;
2099 1 secp256k1_scalar y;
2100 1 secp256k1_scalar z;
2101 1 secp256k1_scalar zz;
2102 1 secp256k1_scalar one;
2103 1 secp256k1_scalar r1;
2104 1 secp256k1_scalar r2;
2105 1 secp256k1_scalar zzv;
2106 1 int overflow;
2107 1 unsigned char chal[33][2][32] = {
2108 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2109 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2110 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2111 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2112 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2114 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2115 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2116 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2117 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2120 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2121 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2122 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2123 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2124 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2125 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2126 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2127 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2128 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2129 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2130 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2131 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2132 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2133 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2134 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2135 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2136 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2137 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2138 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2139 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2140 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2141 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2142 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2143 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2144 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2145 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2146 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2147 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2148 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2149 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2150 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2151 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2152 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2153 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2154 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2155 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2156 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2157 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2158 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2159 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2160 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2161 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2162 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2163 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2164 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2165 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2166 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2167 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2168 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2169 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2170 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2171 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2172 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2173 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2174 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2175 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2176 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2177 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2178 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2179 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2180 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2181 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2182 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2183 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2184 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2185 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2186 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2187 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2188 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2189 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2190 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2191 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2192 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2196 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2197 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2198 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2199 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2200 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2201 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2202 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2204 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2205 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2206 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2207 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2208 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2209 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2210 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2211 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2212 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2213 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2214 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2215 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2216 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2217 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2218 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2219 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2220 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2221 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2223 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2224 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2225 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2226 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2227 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2228 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2229 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2230 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2231 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2232 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2233 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2234 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2235 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2236 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2237 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2238 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2239 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2240 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2241 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2242 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2243 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2244 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2245 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2246 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2247 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2248 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2249 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2250 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2251 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2252 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2253 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2254 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2255 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2256 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2257 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2258 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2259 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2260 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2261 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2262 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2263 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2264 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2265 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2266 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2267 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2268 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2269 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2270 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2271 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2272 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2273 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2274 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2275 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2276 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2277 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2278 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2280 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2281 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2282 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2283 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2284 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2285 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2286 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2287 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2288 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2289 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2290 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2291 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2292 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2293 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2294 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2295 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2296 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2297 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2298 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2299 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2300 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2301 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2302 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2303 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2304 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2305 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2306 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2307 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2308 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2309 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2310 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2311 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2312 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2313 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2314 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2315 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2316 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2317 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2318 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2319 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2320 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2321 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2322 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2323 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2324 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2325 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2326 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2327 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2328 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2329 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2330 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2331 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2332 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2333 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2334 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2335 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2336 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2338 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2339 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2340 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2341 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2342 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2343 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2344 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2345 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2346 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2347 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2348 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2349 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2350 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2351 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2352 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2353 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2354 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2355 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2356 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2357 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2358 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2359 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2360 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2361 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2362 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2363 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2364 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2365 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2366 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2367 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2368 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2369 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2370 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2371 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2372 };
2373 1 unsigned char res[33][2][32] = {
2374 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2375 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2376 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2377 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2378 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2379 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2380 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2381 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2382 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2383 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2384 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2385 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2386 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2387 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2388 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2389 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2390 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2391 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2392 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2393 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2394 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2395 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2396 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2397 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2398 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2399 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2400 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2401 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2402 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2403 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2404 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2405 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2406 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2407 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2408 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2409 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2410 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2411 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2412 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2413 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2414 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2415 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2416 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2417 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2418 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2419 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2420 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2421 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2422 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2423 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2424 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2425 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2426 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2427 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2428 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2429 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2430 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2431 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2432 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2433 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2434 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2435 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2436 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2437 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2438 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2439 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2440 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2441 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2442 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2443 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2444 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2445 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2446 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2447 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2448 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2449 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2450 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2451 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2452 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2453 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2454 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2455 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2456 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2457 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2458 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2459 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2460 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2461 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2462 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2463 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2464 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2465 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2466 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2467 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2468 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2469 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2470 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2471 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2472 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2473 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2474 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2475 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2476 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2477 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2478 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2479 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2480 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2481 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2482 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2483 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2484 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2485 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2486 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2487 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2488 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2489 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2490 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2491 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2492 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2493 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2494 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2495 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2496 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2497 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2498 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2499 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2500 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2501 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2502 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2503 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2504 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2505 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2506 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2507 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2508 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2509 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2510 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2511 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2512 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2513 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2514 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2515 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2516 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2517 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2518 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2519 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2520 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2521 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2522 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2523 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2524 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2525 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2526 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2527 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2528 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2529 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2530 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2531 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2532 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2533 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2534 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2535 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2536 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2537 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2538 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2539 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2540 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2541 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2542 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2543 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2544 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2545 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2546 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2547 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2548 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2549 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2550 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2551 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2552 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2553 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2554 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2555 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2556 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2557 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2558 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2559 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2560 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2561 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2562 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2563 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2564 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2565 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2566 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2567 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2568 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2569 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2570 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2571 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2572 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2573 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2574 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2575 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2576 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2577 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2578 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2579 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2580 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2581 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2582 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2583 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2584 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2585 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2586 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2587 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2588 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2589 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2590 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2591 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2592 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2593 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2594 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2595 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2596 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2597 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2598 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2599 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2600 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2601 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2602 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2603 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2604 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2605 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2606 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2607 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2608 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2609 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2610 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2611 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2612 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2613 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2614 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2615 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2616 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2617 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2618 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2619 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2620 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2621 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2622 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2623 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2624 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2625 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2626 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2627 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2628 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2629 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2630 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2631 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2632 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2633 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2634 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2635 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2636 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2637 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2638 };
2639 1 secp256k1_scalar_set_int(&one, 1);
2640
2/2
✓ Branch 0 taken 33 times.
✓ Branch 1 taken 1 times.
34 for (i = 0; i < 33; i++) {
2641 33 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
2642
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
33 CHECK(!overflow);
2643 33 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
2644
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
33 CHECK(!overflow);
2645 33 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
2646
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
33 CHECK(!overflow);
2647 33 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
2648
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
33 CHECK(!overflow);
2649 33 secp256k1_scalar_mul(&z, &x, &y);
2650
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
33 CHECK(!secp256k1_scalar_check_overflow(&z));
2651
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
33 CHECK(secp256k1_scalar_eq(&r1, &z));
2652
2/2
✓ Branch 0 taken 32 times.
✓ Branch 1 taken 1 times.
33 if (!secp256k1_scalar_is_zero(&y)) {
2653 32 secp256k1_scalar_inverse(&zz, &y);
2654
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
32 CHECK(!secp256k1_scalar_check_overflow(&zz));
2655 32 secp256k1_scalar_inverse_var(&zzv, &y);
2656
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
32 CHECK(secp256k1_scalar_eq(&zzv, &zz));
2657 32 secp256k1_scalar_mul(&z, &z, &zz);
2658
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
32 CHECK(!secp256k1_scalar_check_overflow(&z));
2659
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
32 CHECK(secp256k1_scalar_eq(&x, &z));
2660 32 secp256k1_scalar_mul(&zz, &zz, &y);
2661
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
32 CHECK(!secp256k1_scalar_check_overflow(&zz));
2662
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
32 CHECK(secp256k1_scalar_eq(&one, &zz));
2663 }
2664 33 secp256k1_scalar_mul(&z, &x, &x);
2665
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
33 CHECK(!secp256k1_scalar_check_overflow(&z));
2666 33 secp256k1_scalar_sqr(&zz, &x);
2667
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
33 CHECK(!secp256k1_scalar_check_overflow(&zz));
2668
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
33 CHECK(secp256k1_scalar_eq(&zz, &z));
2669
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 33 times.
33 CHECK(secp256k1_scalar_eq(&r2, &zz));
2670 }
2671 }
2672 1 }
2673
2674 /***** FIELD TESTS *****/
2675
2676 160650 void random_fe(secp256k1_fe *x) {
2677 160650 unsigned char bin[32];
2678 160650 do {
2679 160650 secp256k1_testrand256(bin);
2680
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 160650 times.
160650 if (secp256k1_fe_set_b32(x, bin)) {
2681 160650 return;
2682 }
2683 } while(1);
2684 }
2685
2686 45326 void random_fe_test(secp256k1_fe *x) {
2687 45346 unsigned char bin[32];
2688 45346 do {
2689 45346 secp256k1_testrand256_test(bin);
2690
2/2
✓ Branch 1 taken 20 times.
✓ Branch 2 taken 45326 times.
45346 if (secp256k1_fe_set_b32(x, bin)) {
2691 45326 return;
2692 }
2693 } while(1);
2694 }
2695
2696 115210 void random_fe_non_zero(secp256k1_fe *nz) {
2697 115210 int tries = 10;
2698
1/2
✓ Branch 0 taken 115210 times.
✗ Branch 1 not taken.
115210 while (--tries >= 0) {
2699 115210 random_fe(nz);
2700 115210 secp256k1_fe_normalize(nz);
2701
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 115210 times.
115210 if (!secp256k1_fe_is_zero(nz)) {
2702 break;
2703 }
2704 }
2705 /* Infinitesimal probability of spurious failure here */
2706
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 115210 times.
115210 CHECK(tries >= 0);
2707 115210 }
2708
2709 10 void random_fe_non_square(secp256k1_fe *ns) {
2710 10 secp256k1_fe r;
2711 10 random_fe_non_zero(ns);
2712
2/2
✓ Branch 1 taken 7 times.
✓ Branch 2 taken 3 times.
10 if (secp256k1_fe_sqrt(&r, ns)) {
2713 7 secp256k1_fe_negate(ns, ns, 1);
2714 }
2715 10 }
2716
2717 448062 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
2718 448062 secp256k1_fe an = *a;
2719 448062 secp256k1_fe bn = *b;
2720 448062 secp256k1_fe_normalize_weak(&an);
2721 448062 secp256k1_fe_normalize_var(&bn);
2722 448062 return secp256k1_fe_equal_var(&an, &bn);
2723 }
2724
2725 1 void run_field_convert(void) {
2726 1 static const unsigned char b32[32] = {
2727 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2728 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2729 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2730 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2731 };
2732 1 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
2733 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2734 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2735 );
2736 1 static const secp256k1_fe fe = SECP256K1_FE_CONST(
2737 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2738 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2739 );
2740 1 secp256k1_fe fe2;
2741 1 unsigned char b322[32];
2742 1 secp256k1_fe_storage fes2;
2743 /* Check conversions to fe. */
2744
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_fe_set_b32(&fe2, b32));
2745
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2746 1 secp256k1_fe_from_storage(&fe2, &fes);
2747
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
2748 /* Check conversion from fe. */
2749 1 secp256k1_fe_get_b32(b322, &fe);
2750
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
2751 1 secp256k1_fe_to_storage(&fes2, &fe);
2752
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2753 1 }
2754
2755 /* Returns true if two field elements have the same representation. */
2756 192000 int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
2757 192000 int ret = 1;
2758 #ifdef VERIFY
2759 ret &= (a->magnitude == b->magnitude);
2760 ret &= (a->normalized == b->normalized);
2761 #endif
2762 /* Compare the struct member that holds the limbs. */
2763 192000 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
2764 192000 return ret;
2765 }
2766
2767 1 void run_field_half(void) {
2768 1 secp256k1_fe t, u;
2769 1 int m;
2770
2771 /* Check magnitude 0 input */
2772 1 secp256k1_fe_get_bounds(&t, 0);
2773 1 secp256k1_fe_half(&t);
2774 #ifdef VERIFY
2775 CHECK(t.magnitude == 1);
2776 CHECK(t.normalized == 0);
2777 #endif
2778
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_normalizes_to_zero(&t));
2779
2780 /* Check non-zero magnitudes in the supported range */
2781
2/2
✓ Branch 0 taken 31 times.
✓ Branch 1 taken 1 times.
32 for (m = 1; m < 32; m++) {
2782 /* Check max-value input */
2783 31 secp256k1_fe_get_bounds(&t, m);
2784
2785 31 u = t;
2786 31 secp256k1_fe_half(&u);
2787 #ifdef VERIFY
2788 CHECK(u.magnitude == (m >> 1) + 1);
2789 CHECK(u.normalized == 0);
2790 #endif
2791 31 secp256k1_fe_normalize_weak(&u);
2792 31 secp256k1_fe_add(&u, &u);
2793
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 31 times.
31 CHECK(check_fe_equal(&t, &u));
2794
2795 /* Check worst-case input: ensure the LSB is 1 so that P will be added,
2796 * which will also cause all carries to be 1, since all limbs that can
2797 * generate a carry are initially even and all limbs of P are odd in
2798 * every existing field implementation. */
2799 31 secp256k1_fe_get_bounds(&t, m);
2800
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 31 times.
31 CHECK(t.n[0] > 0);
2801
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 31 times.
31 CHECK((t.n[0] & 1) == 0);
2802 31 --t.n[0];
2803
2804 31 u = t;
2805 31 secp256k1_fe_half(&u);
2806 #ifdef VERIFY
2807 CHECK(u.magnitude == (m >> 1) + 1);
2808 CHECK(u.normalized == 0);
2809 #endif
2810 31 secp256k1_fe_normalize_weak(&u);
2811 31 secp256k1_fe_add(&u, &u);
2812
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 31 times.
31 CHECK(check_fe_equal(&t, &u));
2813 }
2814 1 }
2815
2816 1 void run_field_misc(void) {
2817 1 secp256k1_fe x;
2818 1 secp256k1_fe y;
2819 1 secp256k1_fe z;
2820 1 secp256k1_fe q;
2821 1 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
2822 1 int i, j;
2823
2/2
✓ Branch 0 taken 64000 times.
✓ Branch 1 taken 1 times.
64001 for (i = 0; i < 1000 * count; i++) {
2824 64000 secp256k1_fe_storage xs, ys, zs;
2825
2/2
✓ Branch 0 taken 32000 times.
✓ Branch 1 taken 32000 times.
64000 if (i & 1) {
2826 32000 random_fe(&x);
2827 } else {
2828 32000 random_fe_test(&x);
2829 }
2830 64000 random_fe_non_zero(&y);
2831 /* Test the fe equality and comparison operations. */
2832
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
2833
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(secp256k1_fe_equal_var(&x, &x));
2834 64000 z = x;
2835 64000 secp256k1_fe_add(&z,&y);
2836 /* Test fe conditional move; z is not normalized here. */
2837 64000 q = x;
2838 64000 secp256k1_fe_cmov(&x, &z, 0);
2839 #ifdef VERIFY
2840 CHECK(x.normalized && x.magnitude == 1);
2841 #endif
2842 64000 secp256k1_fe_cmov(&x, &x, 1);
2843
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(!fe_identical(&x, &z));
2844
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(fe_identical(&x, &q));
2845 64000 secp256k1_fe_cmov(&q, &z, 1);
2846 #ifdef VERIFY
2847 CHECK(!q.normalized && q.magnitude == z.magnitude);
2848 #endif
2849
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(fe_identical(&q, &z));
2850 64000 secp256k1_fe_normalize_var(&x);
2851 64000 secp256k1_fe_normalize_var(&z);
2852
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(!secp256k1_fe_equal_var(&x, &z));
2853 64000 secp256k1_fe_normalize_var(&q);
2854 64000 secp256k1_fe_cmov(&q, &z, (i&1));
2855 #ifdef VERIFY
2856 CHECK(q.normalized && q.magnitude == 1);
2857 #endif
2858
2/2
✓ Branch 1 taken 384000 times.
✓ Branch 2 taken 64000 times.
512000 for (j = 0; j < 6; j++) {
2859 384000 secp256k1_fe_negate(&z, &z, j+1);
2860 384000 secp256k1_fe_normalize_var(&q);
2861 384000 secp256k1_fe_cmov(&q, &z, (j&1));
2862 #ifdef VERIFY
2863 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
2864 #endif
2865 }
2866 64000 secp256k1_fe_normalize_var(&z);
2867 /* Test storage conversion and conditional moves. */
2868 64000 secp256k1_fe_to_storage(&xs, &x);
2869 64000 secp256k1_fe_to_storage(&ys, &y);
2870 64000 secp256k1_fe_to_storage(&zs, &z);
2871 64000 secp256k1_fe_storage_cmov(&zs, &xs, 0);
2872 64000 secp256k1_fe_storage_cmov(&zs, &zs, 1);
2873
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 64000 times.
128000 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2874 64000 secp256k1_fe_storage_cmov(&ys, &xs, 1);
2875
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 64000 times.
128000 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2876 64000 secp256k1_fe_from_storage(&x, &xs);
2877 64000 secp256k1_fe_from_storage(&y, &ys);
2878 64000 secp256k1_fe_from_storage(&z, &zs);
2879 /* Test that mul_int, mul, and add agree. */
2880 64000 secp256k1_fe_add(&y, &x);
2881 64000 secp256k1_fe_add(&y, &x);
2882 64000 z = x;
2883 64000 secp256k1_fe_mul_int(&z, 3);
2884
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(check_fe_equal(&y, &z));
2885 64000 secp256k1_fe_add(&y, &x);
2886 64000 secp256k1_fe_add(&z, &x);
2887
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(check_fe_equal(&z, &y));
2888 64000 z = x;
2889 64000 secp256k1_fe_mul_int(&z, 5);
2890 64000 secp256k1_fe_mul(&q, &x, &fe5);
2891
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(check_fe_equal(&z, &q));
2892 64000 secp256k1_fe_negate(&x, &x, 1);
2893 64000 secp256k1_fe_add(&z, &x);
2894 64000 secp256k1_fe_add(&q, &x);
2895
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(check_fe_equal(&y, &z));
2896
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(check_fe_equal(&q, &y));
2897 /* Check secp256k1_fe_half. */
2898 64000 z = x;
2899 64000 secp256k1_fe_half(&z);
2900 64000 secp256k1_fe_add(&z, &z);
2901
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(check_fe_equal(&x, &z));
2902 64000 secp256k1_fe_add(&z, &z);
2903 64000 secp256k1_fe_half(&z);
2904
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64000 times.
64000 CHECK(check_fe_equal(&x, &z));
2905 }
2906 1 }
2907
2908 38400 void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
2909 {
2910 38400 secp256k1_fe c, an, bn;
2911 /* Variables in BE 32-byte format. */
2912 38400 unsigned char a32[32], b32[32], c32[32];
2913 /* Variables in LE 16x uint16_t format. */
2914 38400 uint16_t a16[16], b16[16], c16[16];
2915 /* Field modulus in LE 16x uint16_t format. */
2916 38400 static const uint16_t m16[16] = {
2917 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2918 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2919 };
2920 38400 uint16_t t16[32];
2921 38400 int i;
2922
2923 /* Compute C = A * B in fe format. */
2924 38400 c = *a;
2925
2/2
✓ Branch 0 taken 12800 times.
✓ Branch 1 taken 25600 times.
38400 if (use_sqr) {
2926 12800 secp256k1_fe_sqr(&c, &c);
2927 } else {
2928 25600 secp256k1_fe_mul(&c, &c, b);
2929 }
2930
2931 /* Convert A, B, C into LE 16x uint16_t format. */
2932 38400 an = *a;
2933 38400 bn = *b;
2934 38400 secp256k1_fe_normalize_var(&c);
2935 38400 secp256k1_fe_normalize_var(&an);
2936 38400 secp256k1_fe_normalize_var(&bn);
2937 38400 secp256k1_fe_get_b32(a32, &an);
2938 38400 secp256k1_fe_get_b32(b32, &bn);
2939 38400 secp256k1_fe_get_b32(c32, &c);
2940
2/2
✓ Branch 1 taken 614400 times.
✓ Branch 2 taken 38400 times.
691200 for (i = 0; i < 16; ++i) {
2941 614400 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
2942 614400 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
2943 614400 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
2944 }
2945 /* Compute T = A * B in LE 16x uint16_t format. */
2946 38400 mulmod256(t16, a16, b16, m16);
2947 /* Compare */
2948
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 38400 times.
76800 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
2949 38400 }
2950
2951 1 void run_fe_mul(void) {
2952 1 int i;
2953
2/2
✓ Branch 0 taken 6400 times.
✓ Branch 1 taken 1 times.
6401 for (i = 0; i < 100 * count; ++i) {
2954 6400 secp256k1_fe a, b, c, d;
2955 6400 random_fe(&a);
2956 6400 random_field_element_magnitude(&a);
2957 6400 random_fe(&b);
2958 6400 random_field_element_magnitude(&b);
2959 6400 random_fe_test(&c);
2960 6400 random_field_element_magnitude(&c);
2961 6400 random_fe_test(&d);
2962 6400 random_field_element_magnitude(&d);
2963 6400 test_fe_mul(&a, &a, 1);
2964 6400 test_fe_mul(&c, &c, 1);
2965 6400 test_fe_mul(&a, &b, 0);
2966 6400 test_fe_mul(&a, &c, 0);
2967 6400 test_fe_mul(&c, &b, 0);
2968 6400 test_fe_mul(&c, &d, 0);
2969 }
2970 1 }
2971
2972 1 void run_sqr(void) {
2973 1 secp256k1_fe x, s;
2974
2975 {
2976 1 int i;
2977 1 secp256k1_fe_set_int(&x, 1);
2978 1 secp256k1_fe_negate(&x, &x, 1);
2979
2980
2/2
✓ Branch 0 taken 512 times.
✓ Branch 1 taken 1 times.
513 for (i = 1; i <= 512; ++i) {
2981 512 secp256k1_fe_mul_int(&x, 2);
2982 512 secp256k1_fe_normalize(&x);
2983 512 secp256k1_fe_sqr(&s, &x);
2984 }
2985 }
2986 1 }
2987
2988 2121 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2989 2121 secp256k1_fe r1, r2;
2990 2121 int v = secp256k1_fe_sqrt(&r1, a);
2991
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2121 times.
2121 CHECK((v == 0) == (k == NULL));
2992
2993
2/2
✓ Branch 0 taken 741 times.
✓ Branch 1 taken 1380 times.
2121 if (k != NULL) {
2994 /* Check that the returned root is +/- the given known answer */
2995 741 secp256k1_fe_negate(&r2, &r1, 1);
2996 741 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2997 741 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2998
3/4
✓ Branch 0 taken 388 times.
✓ Branch 1 taken 353 times.
✗ Branch 2 not taken.
✓ Branch 3 taken 388 times.
741 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2999 }
3000 2121 }
3001
3002 1 void run_sqrt(void) {
3003 1 secp256k1_fe ns, x, s, t;
3004 1 int i;
3005
3006 /* Check sqrt(0) is 0 */
3007 1 secp256k1_fe_set_int(&x, 0);
3008 1 secp256k1_fe_sqr(&s, &x);
3009 1 test_sqrt(&s, &x);
3010
3011 /* Check sqrt of small squares (and their negatives) */
3012
2/2
✓ Branch 1 taken 100 times.
✓ Branch 2 taken 1 times.
102 for (i = 1; i <= 100; i++) {
3013 100 secp256k1_fe_set_int(&x, i);
3014 100 secp256k1_fe_sqr(&s, &x);
3015 100 test_sqrt(&s, &x);
3016 100 secp256k1_fe_negate(&t, &s, 1);
3017 100 test_sqrt(&t, NULL);
3018 }
3019
3020 /* Consistency checks for large random values */
3021
2/2
✓ Branch 0 taken 10 times.
✓ Branch 1 taken 1 times.
11 for (i = 0; i < 10; i++) {
3022 10 int j;
3023 10 random_fe_non_square(&ns);
3024
2/2
✓ Branch 1 taken 640 times.
✓ Branch 2 taken 10 times.
660 for (j = 0; j < count; j++) {
3025 640 random_fe(&x);
3026 640 secp256k1_fe_sqr(&s, &x);
3027 640 test_sqrt(&s, &x);
3028 640 secp256k1_fe_negate(&t, &s, 1);
3029 640 test_sqrt(&t, NULL);
3030 640 secp256k1_fe_mul(&t, &s, &ns);
3031 640 test_sqrt(&t, NULL);
3032 }
3033 }
3034 1 }
3035
3036 /***** FIELD/SCALAR INVERSE TESTS *****/
3037
3038 static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
3039 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3040 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3041 );
3042
3043 static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
3044 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3045 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3046 );
3047
3048 /* These tests test the following identities:
3049 *
3050 * for x==0: 1/x == 0
3051 * for x!=0: x*(1/x) == 1
3052 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3053 */
3054
3055 20532 void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
3056 {
3057 20532 secp256k1_scalar l, r, t;
3058
3059
2/2
✓ Branch 0 taken 10266 times.
✓ Branch 1 taken 10266 times.
30798 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3060
2/2
✓ Branch 0 taken 148 times.
✓ Branch 1 taken 20384 times.
20532 if (out) *out = l;
3061
2/2
✓ Branch 0 taken 10 times.
✓ Branch 1 taken 20522 times.
20532 if (secp256k1_scalar_is_zero(x)) {
3062
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
10 CHECK(secp256k1_scalar_is_zero(&l));
3063 16 return;
3064 }
3065 20522 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3066
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 20522 times.
20522 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3067 20522 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3068
2/2
✓ Branch 0 taken 20516 times.
✓ Branch 1 taken 6 times.
20522 if (secp256k1_scalar_is_zero(&r)) return;
3069 20516 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3070 20516 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3071 20516 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3072 20516 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3073 20516 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3074
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 20516 times.
20516 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3075 }
3076
3077 20568 void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3078 {
3079 20568 secp256k1_fe l, r, t;
3080
3081
2/2
✓ Branch 0 taken 10284 times.
✓ Branch 1 taken 10284 times.
30852 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3082
2/2
✓ Branch 0 taken 184 times.
✓ Branch 1 taken 20384 times.
20568 if (out) *out = l;
3083 20568 t = *x; /* t = x */
3084
2/2
✓ Branch 0 taken 10 times.
✓ Branch 1 taken 20558 times.
20568 if (secp256k1_fe_normalizes_to_zero_var(&t)) {
3085
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
10 CHECK(secp256k1_fe_normalizes_to_zero(&l));
3086 16 return;
3087 }
3088 20558 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3089 20558 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3090
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 20558 times.
20558 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3091 20558 r = *x; /* r = x */
3092 20558 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3093
2/2
✓ Branch 0 taken 20552 times.
✓ Branch 1 taken 6 times.
20558 if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
3094 20552 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3095 20552 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3096 20552 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3097 20552 secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
3098 20552 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3099
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 20552 times.
20552 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
3100 }
3101
3102 1 void run_inverse_tests(void)
3103 {
3104 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3105 1 static const secp256k1_fe fe_cases[][2] = {
3106 /* 0 */
3107 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3108 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3109 /* 1 */
3110 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3111 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3112 /* -1 */
3113 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3114 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3115 /* 2 */
3116 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3117 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3118 /* 2**128 */
3119 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3120 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3121 /* Input known to need 637 divsteps */
3122 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3123 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3124 /* Input known to need 567 divsteps starting with delta=1/2. */
3125 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3126 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3127 /* Input known to need 566 divsteps starting with delta=1/2. */
3128 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3129 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3130 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3131 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3132 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3133 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3134 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3135 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3136 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3137 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3138 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3139 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3140 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3141 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3142 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3143 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3144 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3145 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3146 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3147 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3148 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3149 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3150 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3151 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3152 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3153 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3154 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3155 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3156 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3157 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3158 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3159 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3160 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3161 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3162 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3163 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3164 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3165 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3166 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3167 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3168 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3169 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3170 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3171 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3172 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3173 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3174 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3175 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3176 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3177 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3178 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3179 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3180 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3181 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3182 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3183 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3184 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3185 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3186 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3187 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3188 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3189 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3190 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3191 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3192 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3193 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3194 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3195 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3196 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3197 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3198 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3199 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3200 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3201 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3202 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3203 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3204 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3205 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3206 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3207 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3208 };
3209 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3210 1 static const secp256k1_scalar scalar_cases[][2] = {
3211 /* 0 */
3212 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3213 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3214 /* 1 */
3215 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3216 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3217 /* -1 */
3218 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3219 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3220 /* 2 */
3221 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3222 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3223 /* 2**128 */
3224 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3225 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3226 /* Input known to need 635 divsteps */
3227 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3228 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3229 /* Input known to need 566 divsteps starting with delta=1/2. */
3230 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3231 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3232 /* Input known to need 565 divsteps starting with delta=1/2. */
3233 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3234 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3235 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3236 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3237 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3238 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3239 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3240 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3241 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3242 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3243 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3244 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3245 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3246 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3247 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3248 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3249 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3250 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3251 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3252 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3253 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3254 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3255 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3256 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3257 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3258 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3259 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3260 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3261 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3262 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3263 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3264 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3265 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3266 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3267 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3268 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3269 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3270 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3271 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3272 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3273 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3274 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3275 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3276 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3277 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3278 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3279 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3280 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3281 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3282 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3283 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3284 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3285 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3286 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3287 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3288 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3289 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3290 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3291 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3292 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3293 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3294 };
3295 1 int i, var, testrand;
3296 1 unsigned char b32[32];
3297 1 secp256k1_fe x_fe;
3298 1 secp256k1_scalar x_scalar;
3299 1 memset(b32, 0, sizeof(b32));
3300 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3301
2/2
✓ Branch 0 taken 46 times.
✓ Branch 1 taken 1 times.
47 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3302
2/2
✓ Branch 0 taken 92 times.
✓ Branch 1 taken 46 times.
138 for (var = 0; var <= 1; ++var) {
3303 92 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3304 92 check_fe_equal(&x_fe, &fe_cases[i][1]);
3305 92 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3306 92 check_fe_equal(&x_fe, &fe_cases[i][0]);
3307 }
3308 }
3309
2/2
✓ Branch 0 taken 37 times.
✓ Branch 1 taken 1 times.
38 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3310
2/2
✓ Branch 0 taken 74 times.
✓ Branch 1 taken 37 times.
111 for (var = 0; var <= 1; ++var) {
3311 74 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3312
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 74 times.
74 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3313 74 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3314
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 74 times.
74 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3315 }
3316 }
3317 /* Test inputs 0..999 and their respective negations. */
3318
2/2
✓ Branch 0 taken 1000 times.
✓ Branch 1 taken 1 times.
1001 for (i = 0; i < 1000; ++i) {
3319 1000 b32[31] = i & 0xff;
3320 1000 b32[30] = (i >> 8) & 0xff;
3321 1000 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3322 1000 secp256k1_fe_set_b32(&x_fe, b32);
3323
2/2
✓ Branch 1 taken 2000 times.
✓ Branch 2 taken 1000 times.
4000 for (var = 0; var <= 1; ++var) {
3324 2000 test_inverse_scalar(NULL, &x_scalar, var);
3325 2000 test_inverse_field(NULL, &x_fe, var);
3326 }
3327 1000 secp256k1_scalar_negate(&x_scalar, &x_scalar);
3328 1000 secp256k1_fe_negate(&x_fe, &x_fe, 1);
3329
2/2
✓ Branch 0 taken 2000 times.
✓ Branch 1 taken 1000 times.
3000 for (var = 0; var <= 1; ++var) {
3330 2000 test_inverse_scalar(NULL, &x_scalar, var);
3331 2000 test_inverse_field(NULL, &x_fe, var);
3332 }
3333 }
3334 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3335
2/2
✓ Branch 0 taken 2 times.
✓ Branch 1 taken 1 times.
3 for (testrand = 0; testrand <= 1; ++testrand) {
3336
2/2
✓ Branch 0 taken 8192 times.
✓ Branch 1 taken 2 times.
8194 for (i = 0; i < 64 * count; ++i) {
3337
2/2
✓ Branch 0 taken 4096 times.
✓ Branch 1 taken 4096 times.
12288 (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
3338 8192 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3339 8192 secp256k1_fe_set_b32(&x_fe, b32);
3340
2/2
✓ Branch 1 taken 16384 times.
✓ Branch 2 taken 8192 times.
32768 for (var = 0; var <= 1; ++var) {
3341 16384 test_inverse_scalar(NULL, &x_scalar, var);
3342 16384 test_inverse_field(NULL, &x_fe, var);
3343 }
3344 }
3345 }
3346 1 }
3347
3348 /***** GROUP TESTS *****/
3349
3350 501 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
3351
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 501 times.
501 CHECK(a->infinity == b->infinity);
3352
1/2
✓ Branch 0 taken 501 times.
✗ Branch 1 not taken.
501 if (a->infinity) {
3353 return;
3354 }
3355
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 501 times.
501 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
3356
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 501 times.
501 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
3357 }
3358
3359 /* This compares jacobian points including their Z, not just their geometric meaning. */
3360 789 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3361 789 secp256k1_gej a2;
3362 789 secp256k1_gej b2;
3363 789 int ret = 1;
3364 789 ret &= a->infinity == b->infinity;
3365
3/4
✓ Branch 0 taken 789 times.
✗ Branch 1 not taken.
✓ Branch 2 taken 533 times.
✓ Branch 3 taken 256 times.
789 if (ret && !a->infinity) {
3366 533 a2 = *a;
3367 533 b2 = *b;
3368 533 secp256k1_fe_normalize(&a2.x);
3369 533 secp256k1_fe_normalize(&a2.y);
3370 533 secp256k1_fe_normalize(&a2.z);
3371 533 secp256k1_fe_normalize(&b2.x);
3372 533 secp256k1_fe_normalize(&b2.y);
3373 533 secp256k1_fe_normalize(&b2.z);
3374 533 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3375 533 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3376 1066 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3377 }
3378 789 return ret;
3379 }
3380
3381 4475033 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
3382 4475033 secp256k1_fe z2s;
3383 4475033 secp256k1_fe u1, u2, s1, s2;
3384
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4475033 times.
4475033 CHECK(a->infinity == b->infinity);
3385
2/2
✓ Branch 0 taken 336728 times.
✓ Branch 1 taken 4138305 times.
4475033 if (a->infinity) {
3386 336728 return;
3387 }
3388 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
3389 4138305 secp256k1_fe_sqr(&z2s, &b->z);
3390 4138305 secp256k1_fe_mul(&u1, &a->x, &z2s);
3391 4138305 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
3392 4138305 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
3393 4138305 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
3394
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4138305 times.
4138305 CHECK(secp256k1_fe_equal_var(&u1, &u2));
3395
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4138305 times.
4138305 CHECK(secp256k1_fe_equal_var(&s1, &s2));
3396 }
3397
3398 2048 void test_ge(void) {
3399 2048 int i, i1;
3400 2048 int runs = 6;
3401 /* 25 points are used:
3402 * - infinity
3403 * - for each of four random points p1 p2 p3 p4, we add the point, its
3404 * negation, and then those two again but with randomized Z coordinate.
3405 * - The same is then done for lambda*p1 and lambda^2*p1.
3406 */
3407 2048 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3408 2048 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3409 2048 secp256k1_fe zf;
3410 2048 secp256k1_fe zfi2, zfi3;
3411
3412 2048 secp256k1_gej_set_infinity(&gej[0]);
3413 2048 secp256k1_ge_clear(&ge[0]);
3414 2048 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
3415
2/2
✓ Branch 1 taken 12288 times.
✓ Branch 2 taken 2048 times.
16384 for (i = 0; i < runs; i++) {
3416 12288 int j;
3417 12288 secp256k1_ge g;
3418 12288 random_group_element_test(&g);
3419
2/2
✓ Branch 0 taken 4096 times.
✓ Branch 1 taken 8192 times.
12288 if (i >= runs - 2) {
3420 4096 secp256k1_ge_mul_lambda(&g, &ge[1]);
3421 }
3422
2/2
✓ Branch 0 taken 2048 times.
✓ Branch 1 taken 2048 times.
4096 if (i >= runs - 1) {
3423 2048 secp256k1_ge_mul_lambda(&g, &g);
3424 }
3425 12288 ge[1 + 4 * i] = g;
3426 12288 ge[2 + 4 * i] = g;
3427 12288 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3428 12288 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3429 12288 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3430 12288 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3431 12288 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3432 12288 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3433
2/2
✓ Branch 1 taken 49152 times.
✓ Branch 2 taken 12288 times.
73728 for (j = 0; j < 4; j++) {
3434 49152 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
3435 49152 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
3436 49152 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
3437 49152 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
3438 49152 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
3439 }
3440 }
3441
3442 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3443 2049 do {
3444 2049 random_field_element_test(&zf);
3445
2/2
✓ Branch 0 taken 1 times.
✓ Branch 1 taken 2048 times.
2049 } while(secp256k1_fe_is_zero(&zf));
3446 2048 random_field_element_magnitude(&zf);
3447 2048 secp256k1_fe_inv_var(&zfi3, &zf);
3448 2048 secp256k1_fe_sqr(&zfi2, &zfi3);
3449 2048 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3450
3451
2/2
✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 2048 times.
55296 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3452 int i2;
3453
2/2
✓ Branch 0 taken 1280000 times.
✓ Branch 1 taken 51200 times.
1331200 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3454 /* Compute reference result using gej + gej (var). */
3455 1280000 secp256k1_gej refj, resj;
3456 1280000 secp256k1_ge ref;
3457 1280000 secp256k1_fe zr;
3458
2/2
✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 1228800 times.
1331200 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3459 /* Check Z ratio. */
3460
4/4
✓ Branch 0 taken 1228800 times.
✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 1130496 times.
✓ Branch 3 taken 98304 times.
1280000 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3461 1130496 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3462
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1130496 times.
1130496 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
3463 }
3464 1280000 secp256k1_ge_set_gej_var(&ref, &refj);
3465
3466 /* Test gej + ge with Z ratio result (var). */
3467
2/2
✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 1228800 times.
1331200 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3468 1280000 ge_equals_gej(&ref, &resj);
3469
4/4
✓ Branch 0 taken 1228800 times.
✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 1130496 times.
✓ Branch 3 taken 98304 times.
1280000 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3470 1130496 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3471
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1130496 times.
1130496 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
3472 }
3473
3474 /* Test gej + ge (var, with additional Z factor). */
3475 {
3476 1280000 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3477 1280000 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3478 1280000 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3479 1280000 random_field_element_magnitude(&ge2_zfi.x);
3480 1280000 random_field_element_magnitude(&ge2_zfi.y);
3481 1280000 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3482 1280000 ge_equals_gej(&ref, &resj);
3483 }
3484
3485 /* Test gej + ge (const). */
3486
2/2
✓ Branch 0 taken 1228800 times.
✓ Branch 1 taken 51200 times.
1280000 if (i2 != 0) {
3487 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3488 1228800 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3489 1228800 ge_equals_gej(&ref, &resj);
3490 }
3491
3492 /* Test doubling (var). */
3493
6/6
✓ Branch 0 taken 1277952 times.
✓ Branch 1 taken 2048 times.
✓ Branch 2 taken 196608 times.
✓ Branch 3 taken 1081344 times.
✓ Branch 4 taken 98304 times.
✓ Branch 5 taken 98304 times.
1280000 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3494 100352 secp256k1_fe zr2;
3495 /* Normal doubling with Z ratio result. */
3496 100352 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3497 100352 ge_equals_gej(&ref, &resj);
3498 /* Check Z ratio. */
3499 100352 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3500
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 100352 times.
100352 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
3501 /* Normal doubling. */
3502 100352 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3503 100352 ge_equals_gej(&ref, &resj);
3504 /* Constant-time doubling. */
3505 100352 secp256k1_gej_double(&resj, &gej[i2]);
3506 100352 ge_equals_gej(&ref, &resj);
3507 }
3508
3509 /* Test adding opposites. */
3510
6/6
✓ Branch 0 taken 1277952 times.
✓ Branch 1 taken 2048 times.
✓ Branch 2 taken 196608 times.
✓ Branch 3 taken 1081344 times.
✓ Branch 4 taken 98304 times.
✓ Branch 5 taken 98304 times.
1280000 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3511
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 100352 times.
100352 CHECK(secp256k1_ge_is_infinity(&ref));
3512 }
3513
3514 /* Test adding infinity. */
3515
2/2
✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 1228800 times.
1280000 if (i1 == 0) {
3516
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 51200 times.
51200 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
3517
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 51200 times.
51200 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
3518 51200 ge_equals_gej(&ref, &gej[i2]);
3519 }
3520
2/2
✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 1228800 times.
1280000 if (i2 == 0) {
3521
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 51200 times.
51200 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
3522
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 51200 times.
51200 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
3523 51200 ge_equals_gej(&ref, &gej[i1]);
3524 }
3525 }
3526 }
3527
3528 /* Test adding all points together in random order equals infinity. */
3529 {
3530 2048 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
3531 2048 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
3532
2/2
✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 2048 times.
55296 for (i = 0; i < 4 * runs + 1; i++) {
3533 51200 gej_shuffled[i] = gej[i];
3534 }
3535
2/2
✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 2048 times.
53248 for (i = 0; i < 4 * runs + 1; i++) {
3536 51200 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
3537
2/2
✓ Branch 0 taken 43409 times.
✓ Branch 1 taken 7791 times.
51200 if (swap != i) {
3538 43409 secp256k1_gej t = gej_shuffled[i];
3539 43409 gej_shuffled[i] = gej_shuffled[swap];
3540 43409 gej_shuffled[swap] = t;
3541 }
3542 }
3543
2/2
✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 2048 times.
53248 for (i = 0; i < 4 * runs + 1; i++) {
3544 51200 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3545 }
3546
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2048 times.
2048 CHECK(secp256k1_gej_is_infinity(&sum));
3547 2048 free(gej_shuffled);
3548 }
3549
3550 /* Test batch gej -> ge conversion without known z ratios. */
3551 {
3552 2048 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
3553 2048 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3554
2/2
✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 2048 times.
55296 for (i = 0; i < 4 * runs + 1; i++) {
3555 51200 secp256k1_fe s;
3556 51200 random_fe_non_zero(&s);
3557 51200 secp256k1_gej_rescale(&gej[i], &s);
3558 51200 ge_equals_gej(&ge_set_all[i], &gej[i]);
3559 }
3560 2048 free(ge_set_all);
3561 }
3562
3563 /* Test batch gej -> ge conversion with many infinities. */
3564
2/2
✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 2048 times.
53248 for (i = 0; i < 4 * runs + 1; i++) {
3565 51200 int odd;
3566 51200 random_group_element_test(&ge[i]);
3567
2/2
✓ Branch 0 taken 25412 times.
✓ Branch 1 taken 25788 times.
51200 odd = secp256k1_fe_is_odd(&ge[i].x);
3568 51200 CHECK(odd == 0 || odd == 1);
3569 /* randomly set half the points to infinity */
3570
2/2
✓ Branch 0 taken 25412 times.
✓ Branch 1 taken 25788 times.
51200 if (odd == i % 2) {
3571 25412 secp256k1_ge_set_infinity(&ge[i]);
3572 }
3573 51200 secp256k1_gej_set_ge(&gej[i], &ge[i]);
3574 }
3575 /* batch convert */
3576 2048 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3577 /* check result */
3578
2/2
✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 2048 times.
55296 for (i = 0; i < 4 * runs + 1; i++) {
3579 51200 ge_equals_gej(&ge[i], &gej[i]);
3580 }
3581
3582 /* Test batch gej -> ge conversion with all infinities. */
3583
2/2
✓ Branch 0 taken 51200 times.
✓ Branch 1 taken 2048 times.
53248 for (i = 0; i < 4 * runs + 1; i++) {
3584 51200 secp256k1_gej_set_infinity(&gej[i]);
3585 }
3586 /* batch convert */
3587 2048 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3588 /* check result */
3589
2/2
✓ Branch 1 taken 51200 times.
✓ Branch 2 taken 2048 times.
55296 for (i = 0; i < 4 * runs + 1; i++) {
3590
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 51200 times.
51200 CHECK(secp256k1_ge_is_infinity(&ge[i]));
3591 }
3592
3593 2048 free(ge);
3594 2048 free(gej);
3595 2048 }
3596
3597
3598 1 void test_intialized_inf(void) {
3599 1 secp256k1_ge p;
3600 1 secp256k1_gej pj, npj, infj1, infj2, infj3;
3601 1 secp256k1_fe zinv;
3602
3603 /* Test that adding P+(-P) results in a fully initialized infinity*/
3604 1 random_group_element_test(&p);
3605 1 secp256k1_gej_set_ge(&pj, &p);
3606 1 secp256k1_gej_neg(&npj, &pj);
3607
3608 1 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
3609
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_gej_is_infinity(&infj1));
3610
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_is_zero(&infj1.x));
3611
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_is_zero(&infj1.y));
3612
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_is_zero(&infj1.z));
3613
3614 1 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
3615
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_gej_is_infinity(&infj2));
3616
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_is_zero(&infj2.x));
3617
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_is_zero(&infj2.y));
3618
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_is_zero(&infj2.z));
3619
3620 1 secp256k1_fe_set_int(&zinv, 1);
3621 1 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3622
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_gej_is_infinity(&infj3));
3623
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_is_zero(&infj3.x));
3624
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_is_zero(&infj3.y));
3625
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_is_zero(&infj3.z));
3626
3627
3628 1 }
3629
3630 1 void test_add_neg_y_diff_x(void) {
3631 /* The point of this test is to check that we can add two points
3632 * whose y-coordinates are negatives of each other but whose x
3633 * coordinates differ. If the x-coordinates were the same, these
3634 * points would be negatives of each other and their sum is
3635 * infinity. This is cool because it "covers up" any degeneracy
3636 * in the addition algorithm that would cause the xy coordinates
3637 * of the sum to be wrong (since infinity has no xy coordinates).
3638 * HOWEVER, if the x-coordinates are different, infinity is the
3639 * wrong answer, and such degeneracies are exposed. This is the
3640 * root of https://github.com/bitcoin-core/secp256k1/issues/257
3641 * which this test is a regression test for.
3642 *
3643 * These points were generated in sage as
3644 * # secp256k1 params
3645 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
3646 * C = EllipticCurve ([F (0), F (7)])
3647 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
3648 * N = FiniteField(G.order())
3649 *
3650 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
3651 * x = polygen(N)
3652 * lam = (1 - x^3).roots()[1][0]
3653 *
3654 * # random "bad pair"
3655 * P = C.random_element()
3656 * Q = -int(lam) * P
3657 * print " P: %x %x" % P.xy()
3658 * print " Q: %x %x" % Q.xy()
3659 * print "P + Q: %x %x" % (P + Q).xy()
3660 */
3661 1 secp256k1_gej aj = SECP256K1_GEJ_CONST(
3662 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3663 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3664 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3665 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3666 );
3667 1 secp256k1_gej bj = SECP256K1_GEJ_CONST(
3668 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3669 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3670 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3671 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3672 );
3673 1 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
3674 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3675 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3676 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3677 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3678 );
3679 1 secp256k1_ge b;
3680 1 secp256k1_gej resj;
3681 1 secp256k1_ge res;
3682 1 secp256k1_ge_set_gej(&b, &bj);
3683
3684 1 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
3685 1 secp256k1_ge_set_gej(&res, &resj);
3686 1 ge_equals_gej(&res, &sumj);
3687
3688 1 secp256k1_gej_add_ge(&resj, &aj, &b);
3689 1 secp256k1_ge_set_gej(&res, &resj);
3690 1 ge_equals_gej(&res, &sumj);
3691
3692 1 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
3693 1 secp256k1_ge_set_gej(&res, &resj);
3694 1 ge_equals_gej(&res, &sumj);
3695 1 }
3696
3697 1 void run_ge(void) {
3698 1 int i;
3699
2/2
✓ Branch 0 taken 2048 times.
✓ Branch 1 taken 1 times.
2049 for (i = 0; i < count * 32; i++) {
3700 2048 test_ge();
3701 }
3702 1 test_add_neg_y_diff_x();
3703 1 test_intialized_inf();
3704 1 }
3705
3706 384 void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
3707 384 secp256k1_gej t = *a;
3708 384 secp256k1_gej_cmov(&t, b, 0);
3709
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 384 times.
384 CHECK(gej_xyz_equals_gej(&t, a));
3710 384 secp256k1_gej_cmov(&t, b, 1);
3711
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 384 times.
384 CHECK(gej_xyz_equals_gej(&t, b));
3712 384 }
3713
3714 1 void run_gej(void) {
3715 1 int i;
3716 1 secp256k1_gej a, b;
3717
3718 /* Tests for secp256k1_gej_cmov */
3719
2/2
✓ Branch 0 taken 64 times.
✓ Branch 1 taken 1 times.
65 for (i = 0; i < count; i++) {
3720 64 secp256k1_gej_set_infinity(&a);
3721 64 secp256k1_gej_set_infinity(&b);
3722 64 test_gej_cmov(&a, &b);
3723
3724 64 random_gej_test(&a);
3725 64 test_gej_cmov(&a, &b);
3726 64 test_gej_cmov(&b, &a);
3727
3728 64 b = a;
3729 64 test_gej_cmov(&a, &b);
3730
3731 64 random_gej_test(&b);
3732 64 test_gej_cmov(&a, &b);
3733 64 test_gej_cmov(&b, &a);
3734 }
3735 1 }
3736
3737 512 void test_ec_combine(void) {
3738 512 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3739 512 secp256k1_pubkey data[6];
3740 512 const secp256k1_pubkey* d[6];
3741 512 secp256k1_pubkey sd;
3742 512 secp256k1_pubkey sd2;
3743 512 secp256k1_gej Qj;
3744 512 secp256k1_ge Q;
3745 512 int i;
3746
2/2
✓ Branch 0 taken 3072 times.
✓ Branch 1 taken 512 times.
3584 for (i = 1; i <= 6; i++) {
3747 3072 secp256k1_scalar s;
3748 3072 random_scalar_order_test(&s);
3749 3072 secp256k1_scalar_add(&sum, &sum, &s);
3750 3072 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
3751 3072 secp256k1_ge_set_gej(&Q, &Qj);
3752 3072 secp256k1_pubkey_save(&data[i - 1], &Q);
3753 3072 d[i - 1] = &data[i - 1];
3754 3072 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
3755 3072 secp256k1_ge_set_gej(&Q, &Qj);
3756 3072 secp256k1_pubkey_save(&sd, &Q);
3757
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 3072 times.
3072 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
3758
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 3072 times.
3072 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
3759 }
3760 512 }
3761
3762 1 void run_ec_combine(void) {
3763 1 int i;
3764
2/2
✓ Branch 0 taken 512 times.
✓ Branch 1 taken 1 times.
513 for (i = 0; i < count * 8; i++) {
3765 512 test_ec_combine();
3766 }
3767 1 }
3768
3769 512 void test_ec_commit(void) {
3770 512 secp256k1_scalar seckey_s;
3771 512 secp256k1_ge pubkey;
3772 512 secp256k1_gej pubkeyj;
3773 512 secp256k1_ge commitment;
3774 512 unsigned char data[32];
3775 512 secp256k1_sha256 sha;
3776
3777 /* Create random keypair and data */
3778 512 random_scalar_order_test(&seckey_s);
3779 512 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj, &seckey_s);
3780 512 secp256k1_ge_set_gej(&pubkey, &pubkeyj);
3781 512 secp256k1_testrand256_test(data);
3782
3783 /* Commit to data and verify */
3784 512 secp256k1_sha256_initialize(&sha);
3785
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
512 CHECK(secp256k1_ec_commit(&commitment, &pubkey, &sha, data, 32) == 1);
3786 512 secp256k1_sha256_initialize(&sha);
3787
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
512 CHECK(secp256k1_ec_commit_verify(&commitment, &pubkey, &sha, data, 32) == 1);
3788 512 secp256k1_sha256_initialize(&sha);
3789
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
512 CHECK(secp256k1_ec_commit_seckey(&seckey_s, &pubkey, &sha, data, 32) == 1);
3790 512 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj, &seckey_s);
3791 512 ge_equals_gej(&commitment, &pubkeyj);
3792
3793 /* Check that verification fails with different data */
3794 512 secp256k1_sha256_initialize(&sha);
3795
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
512 CHECK(secp256k1_ec_commit_verify(&commitment, &pubkey, &sha, data, 31) == 0);
3796
3797 /* Check that commmitting fails when the inner pubkey is the point at
3798 * infinity */
3799 512 secp256k1_sha256_initialize(&sha);
3800 512 secp256k1_ge_set_infinity(&pubkey);
3801
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
512 CHECK(secp256k1_ec_commit(&commitment, &pubkey, &sha, data, 32) == 0);
3802 512 secp256k1_scalar_set_int(&seckey_s, 0);
3803
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
512 CHECK(secp256k1_ec_commit_seckey(&seckey_s, &pubkey, &sha, data, 32) == 0);
3804
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
512 CHECK(secp256k1_ec_commit_verify(&commitment, &pubkey, &sha, data, 32) == 0);
3805 512 }
3806
3807 1 void test_ec_commit_api(void) {
3808 1 unsigned char seckey[32];
3809 1 secp256k1_scalar seckey_s;
3810 1 secp256k1_ge pubkey;
3811 1 secp256k1_gej pubkeyj;
3812 1 secp256k1_ge commitment;
3813 1 unsigned char data[32];
3814 1 secp256k1_sha256 sha;
3815
3816 1 memset(data, 23, sizeof(data));
3817
3818 /* Create random keypair */
3819 1 random_scalar_order_test(&seckey_s);
3820 1 secp256k1_scalar_get_b32(seckey, &seckey_s);
3821 1 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj, &seckey_s);
3822 1 secp256k1_ge_set_gej(&pubkey, &pubkeyj);
3823
3824 1 secp256k1_sha256_initialize(&sha);
3825
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_commit(&commitment, &pubkey, &sha, data, 1) == 1);
3826 /* The same pubkey can be both input and output of the function */
3827 {
3828 1 secp256k1_ge pubkey_tmp = pubkey;
3829 1 secp256k1_sha256_initialize(&sha);
3830
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_commit(&pubkey_tmp, &pubkey_tmp, &sha, data, 1) == 1);
3831 1 ge_equals_ge(&commitment, &pubkey_tmp);
3832 }
3833
3834 1 secp256k1_sha256_initialize(&sha);
3835
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_commit_verify(&commitment, &pubkey, &sha, data, 1) == 1);
3836 1 }
3837
3838 1 void run_ec_commit(void) {
3839 1 int i;
3840
2/2
✓ Branch 0 taken 512 times.
✓ Branch 1 taken 1 times.
513 for (i = 0; i < count * 8; i++) {
3841 512 test_ec_commit();
3842 }
3843 1 test_ec_commit_api();
3844 1 }
3845
3846 256 void test_group_decompress(const secp256k1_fe* x) {
3847 /* The input itself, normalized. */
3848 256 secp256k1_fe fex = *x;
3849 256 secp256k1_fe fez;
3850 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
3851 256 secp256k1_ge ge_quad, ge_even, ge_odd;
3852 256 secp256k1_gej gej_quad;
3853 /* Return values of the above calls. */
3854 256 int res_quad, res_even, res_odd;
3855
3856 256 secp256k1_fe_normalize_var(&fex);
3857
3858 256 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
3859 256 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
3860 256 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
3861
3862
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 256 times.
256 CHECK(res_quad == res_even);
3863
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 256 times.
256 CHECK(res_quad == res_odd);
3864
3865
2/2
✓ Branch 0 taken 135 times.
✓ Branch 1 taken 121 times.
256 if (res_quad) {
3866 135 secp256k1_fe_normalize_var(&ge_quad.x);
3867 135 secp256k1_fe_normalize_var(&ge_odd.x);
3868 135 secp256k1_fe_normalize_var(&ge_even.x);
3869 135 secp256k1_fe_normalize_var(&ge_quad.y);
3870 135 secp256k1_fe_normalize_var(&ge_odd.y);
3871 135 secp256k1_fe_normalize_var(&ge_even.y);
3872
3873 /* No infinity allowed. */
3874
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
135 CHECK(!ge_quad.infinity);
3875
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
135 CHECK(!ge_even.infinity);
3876
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
135 CHECK(!ge_odd.infinity);
3877
3878 /* Check that the x coordinates check out. */
3879
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
135 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
3880
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
135 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
3881
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
135 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
3882
3883 /* Check that the Y coordinate result in ge_quad is a square. */
3884
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 135 times.
135 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
3885
3886 /* Check odd/even Y in ge_odd, ge_even. */
3887
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
135 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
3888
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
135 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
3889
3890 /* Check secp256k1_gej_has_quad_y_var. */
3891 135 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
3892
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 135 times.
135 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
3893 135 do {
3894 135 random_fe_test(&fez);
3895
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
135 } while (secp256k1_fe_is_zero(&fez));
3896 135 secp256k1_gej_rescale(&gej_quad, &fez);
3897
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 135 times.
135 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
3898 135 secp256k1_gej_neg(&gej_quad, &gej_quad);
3899
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 135 times.
135 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
3900 135 do {
3901 135 random_fe_test(&fez);
3902
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 135 times.
135 } while (secp256k1_fe_is_zero(&fez));
3903 135 secp256k1_gej_rescale(&gej_quad, &fez);
3904
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 135 times.
135 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
3905 135 secp256k1_gej_neg(&gej_quad, &gej_quad);
3906
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 135 times.
135 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
3907 }
3908 256 }
3909
3910 1 void run_group_decompress(void) {
3911 1 int i;
3912
2/2
✓ Branch 0 taken 256 times.
✓ Branch 1 taken 1 times.
257 for (i = 0; i < count * 4; i++) {
3913 256 secp256k1_fe fe;
3914 256 random_fe_test(&fe);
3915 256 test_group_decompress(&fe);
3916 }
3917 1 }
3918
3919 /***** ECMULT TESTS *****/
3920
3921 2 void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
3922 /* Tests the pre_g / pre_g_128 tables for consistency.
3923 * For independent verification we take a "geometric" approach to verification.
3924 * We check that every entry is on-curve.
3925 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
3926 * (1) p, gg, and -q are colinear.
3927 * (2) p, gg, and -q are all distinct.
3928 * where gg is twice the generator, where the generator is the first table entry.
3929 *
3930 * Checking the table's generators are correct is done in run_ecmult_pre_g.
3931 */
3932 2 secp256k1_gej g2;
3933 2 secp256k1_ge p, q, gg;
3934 2 secp256k1_fe dpx, dpy, dqx, dqy;
3935 2 size_t i;
3936
3937
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(0 < n);
3938
3939 2 secp256k1_ge_from_storage(&p, &pre_g[0]);
3940
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ge_is_valid_var(&p));
3941
3942 2 secp256k1_gej_set_ge(&g2, &p);
3943 2 secp256k1_gej_double_var(&g2, &g2, NULL);
3944 2 secp256k1_ge_set_gej_var(&gg, &g2);
3945
2/2
✓ Branch 1 taken 16382 times.
✓ Branch 2 taken 2 times.
16386 for (i = 1; i < n; ++i) {
3946 16382 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
3947 16382 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
3948 /* Check that p is not equal to gg */
3949
1/4
✗ Branch 0 not taken.
✓ Branch 1 taken 16382 times.
✗ Branch 2 not taken.
✗ Branch 3 not taken.
16382 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy));
3950
3951 16382 secp256k1_ge_from_storage(&q, &pre_g[i]);
3952
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 16382 times.
16382 CHECK(secp256k1_ge_is_valid_var(&q));
3953
3954 16382 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x); secp256k1_fe_normalize_weak(&dqx);
3955 16382 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y); secp256k1_fe_normalize_weak(&dqy);
3956 /* Check that -q is not equal to gg */
3957
1/4
✗ Branch 0 not taken.
✓ Branch 1 taken 16382 times.
✗ Branch 2 not taken.
✗ Branch 3 not taken.
16382 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy));
3958
3959 /* Check that -q is not equal to p */
3960
1/4
✗ Branch 0 not taken.
✓ Branch 1 taken 16382 times.
✗ Branch 2 not taken.
✗ Branch 3 not taken.
16382 CHECK(!secp256k1_fe_equal_var(&dpx, &dqx) || !secp256k1_fe_equal_var(&dpy, &dqy));
3961
3962 /* Check that p, -q and gg are colinear */
3963 16382 secp256k1_fe_mul(&dpx, &dpx, &dqy);
3964 16382 secp256k1_fe_mul(&dpy, &dpy, &dqx);
3965
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 16382 times.
16382 CHECK(secp256k1_fe_equal_var(&dpx, &dpy));
3966
3967 16382 p = q;
3968 }
3969 2 }
3970
3971 1 void run_ecmult_pre_g(void) {
3972 1 secp256k1_ge_storage gs;
3973 1 secp256k1_gej gj;
3974 1 secp256k1_ge g;
3975 1 size_t i;
3976
3977 /* Check that the pre_g and pre_g_128 tables are consistent. */
3978 1 test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G));
3979 1 test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G));
3980
3981 /* Check the first entry from the pre_g table. */
3982 1 secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g);
3983
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
3984
3985 /* Check the first entry from the pre_g_128 table. */
3986 1 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
3987
2/2
✓ Branch 1 taken 128 times.
✓ Branch 2 taken 1 times.
130 for (i = 0; i < 128; ++i) {
3988 128 secp256k1_gej_double_var(&gj, &gj, NULL);
3989 }
3990 1 secp256k1_ge_set_gej(&g, &gj);
3991 1 secp256k1_ge_to_storage(&gs, &g);
3992
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
3993 1 }
3994
3995 1 void run_ecmult_chain(void) {
3996 /* random starting point A (on the curve) */
3997 1 secp256k1_gej a = SECP256K1_GEJ_CONST(
3998 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
3999 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4000 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4001 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4002 );
4003 /* two random initial factors xn and gn */
4004 1 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4005 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4006 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4007 );
4008 1 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
4009 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4010 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4011 );
4012 /* two small multipliers to be applied to xn and gn in every iteration: */
4013 1 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4014 1 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4015 /* accumulators with the resulting coefficients to A and G */
4016 1 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4017 1 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4018 /* actual points */
4019 1 secp256k1_gej x;
4020 1 secp256k1_gej x2;
4021 1 int i;
4022
4023 /* the point being computed */
4024 1 x = a;
4025
2/2
✓ Branch 0 taken 12800 times.
✓ Branch 1 taken 1 times.
12801 for (i = 0; i < 200*count; i++) {
4026 /* in each iteration, compute X = xn*X + gn*G; */
4027 12800 secp256k1_ecmult(&x, &x, &xn, &gn);
4028 /* also compute ae and ge: the actual accumulated factors for A and G */
4029 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4030 12800 secp256k1_scalar_mul(&ae, &ae, &xn);
4031 12800 secp256k1_scalar_mul(&ge, &ge, &xn);
4032 12800 secp256k1_scalar_add(&ge, &ge, &gn);
4033 /* modify xn and gn */
4034 12800 secp256k1_scalar_mul(&xn, &xn, &xf);
4035 12800 secp256k1_scalar_mul(&gn, &gn, &gf);
4036
4037 /* verify */
4038
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
12800 if (i == 19999) {
4039 /* expected result after 19999 iterations */
4040 secp256k1_gej rp = SECP256K1_GEJ_CONST(
4041 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4042 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4043 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4044 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4045 );
4046
4047 secp256k1_gej_neg(&rp, &rp);
4048 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
4049 CHECK(secp256k1_gej_is_infinity(&rp));
4050 }
4051 }
4052 /* redo the computation, but directly with the resulting ae and ge coefficients: */
4053 1 secp256k1_ecmult(&x2, &a, &ae, &ge);
4054 1 secp256k1_gej_neg(&x2, &x2);
4055 1 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
4056
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_gej_is_infinity(&x2));
4057 1 }
4058
4059 250 void test_point_times_order(const secp256k1_gej *point) {
4060 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4061 250 secp256k1_scalar x;
4062 250 secp256k1_scalar nx;
4063 250 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4064 250 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4065 250 secp256k1_gej res1, res2;
4066 250 secp256k1_ge res3;
4067 250 unsigned char pub[65];
4068 250 size_t psize = 65;
4069 250 random_scalar_order_test(&x);
4070 250 secp256k1_scalar_negate(&nx, &x);
4071 250 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4072 250 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4073 250 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4074
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 250 times.
250 CHECK(secp256k1_gej_is_infinity(&res1));
4075 250 secp256k1_ge_set_gej(&res3, &res1);
4076
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 250 times.
250 CHECK(secp256k1_ge_is_infinity(&res3));
4077
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 250 times.
250 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4078
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 250 times.
250 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
4079 250 psize = 65;
4080
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 250 times.
250 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4081 /* check zero/one edge cases */
4082 250 secp256k1_ecmult(&res1, point, &zero, &zero);
4083 250 secp256k1_ge_set_gej(&res3, &res1);
4084
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 250 times.
250 CHECK(secp256k1_ge_is_infinity(&res3));
4085 250 secp256k1_ecmult(&res1, point, &one, &zero);
4086 250 secp256k1_ge_set_gej(&res3, &res1);
4087 250 ge_equals_gej(&res3, point);
4088 250 secp256k1_ecmult(&res1, point, &zero, &one);
4089 250 secp256k1_ge_set_gej(&res3, &res1);
4090 250 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4091 250 }
4092
4093 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4094 *
4095 * They are computed as:
4096 * - For a in [-2, -1, 0, 1, 2]:
4097 * - For b in [-3, -1, 1, 3]:
4098 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4099 */
4100 static const secp256k1_scalar scalars_near_split_bounds[20] = {
4101 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4102 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4103 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4104 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4105 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4106 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4107 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4108 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4109 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4110 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4111 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4112 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4113 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4114 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4115 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4116 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4117 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4118 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4119 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4120 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4121 };
4122
4123 15360 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4124 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4125 15360 secp256k1_scalar n1, n2;
4126 15360 secp256k1_ge p;
4127 15360 secp256k1_gej pj, p1j, p2j, ptj;
4128 15360 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4129
4130 /* Generate random n1,n2 such that n1+n2 = -target. */
4131 15360 random_scalar_order_test(&n1);
4132 15360 secp256k1_scalar_add(&n2, &n1, target);
4133 15360 secp256k1_scalar_negate(&n2, &n2);
4134
4135 /* Generate a random input point. */
4136
2/2
✓ Branch 0 taken 5120 times.
✓ Branch 1 taken 10240 times.
15360 if (mode != 0) {
4137 10240 random_group_element_test(&p);
4138 10240 secp256k1_gej_set_ge(&pj, &p);
4139 }
4140
4141 /* EC multiplications */
4142 15360 if (mode == 0) {
4143 5120 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
4144 5120 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
4145 5120 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
4146
2/2
✓ Branch 0 taken 5120 times.
✓ Branch 1 taken 5120 times.
10240 } else if (mode == 1) {
4147 5120 secp256k1_ecmult(&p1j, &pj, &n1, &zero);
4148 5120 secp256k1_ecmult(&p2j, &pj, &n2, &zero);
4149 5120 secp256k1_ecmult(&ptj, &pj, target, &zero);
4150 } else {
4151 5120 secp256k1_ecmult_const(&p1j, &p, &n1, 256);
4152 5120 secp256k1_ecmult_const(&p2j, &p, &n2, 256);
4153 5120 secp256k1_ecmult_const(&ptj, &p, target, 256);
4154 }
4155
4156 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4157 15360 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4158 15360 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4159
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 15360 times.
15360 CHECK(secp256k1_gej_is_infinity(&ptj));
4160 15360 }
4161
4162 1 void run_ecmult_near_split_bound(void) {
4163 1 int i;
4164 1 unsigned j;
4165
2/2
✓ Branch 0 taken 256 times.
✓ Branch 1 taken 1 times.
257 for (i = 0; i < 4*count; ++i) {
4166
2/2
✓ Branch 0 taken 5120 times.
✓ Branch 1 taken 256 times.
5376 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
4167 5120 test_ecmult_target(&scalars_near_split_bounds[j], 0);
4168 5120 test_ecmult_target(&scalars_near_split_bounds[j], 1);
4169 5120 test_ecmult_target(&scalars_near_split_bounds[j], 2);
4170 }
4171 }
4172 1 }
4173
4174 1 void run_point_times_order(void) {
4175 1 int i;
4176 1 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4177 1 static const secp256k1_fe xr = SECP256K1_FE_CONST(
4178 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4179 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4180 );
4181
2/2
✓ Branch 0 taken 500 times.
✓ Branch 1 taken 1 times.
501 for (i = 0; i < 500; i++) {
4182 500 secp256k1_ge p;
4183
2/2
✓ Branch 1 taken 250 times.
✓ Branch 2 taken 250 times.
500 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4184 250 secp256k1_gej j;
4185
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 250 times.
250 CHECK(secp256k1_ge_is_valid_var(&p));
4186 250 secp256k1_gej_set_ge(&j, &p);
4187 250 test_point_times_order(&j);
4188 }
4189 500 secp256k1_fe_sqr(&x, &x);
4190 }
4191 1 secp256k1_fe_normalize_var(&x);
4192
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_fe_equal_var(&x, &xr));
4193 1 }
4194
4195 1 void ecmult_const_random_mult(void) {
4196 /* random starting point A (on the curve) */
4197 1 secp256k1_ge a = SECP256K1_GE_CONST(
4198 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4199 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4200 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4201 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4202 );
4203 /* random initial factor xn */
4204 1 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4205 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4206 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4207 );
4208 /* expected xn * A (from sage) */
4209 1 secp256k1_ge expected_b = SECP256K1_GE_CONST(
4210 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4211 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4212 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4213 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4214 );
4215 1 secp256k1_gej b;
4216 1 secp256k1_ecmult_const(&b, &a, &xn, 256);
4217
4218
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ge_is_valid_var(&a));
4219 1 ge_equals_gej(&expected_b, &b);
4220 1 }
4221
4222 1 void ecmult_const_commutativity(void) {
4223 1 secp256k1_scalar a;
4224 1 secp256k1_scalar b;
4225 1 secp256k1_gej res1;
4226 1 secp256k1_gej res2;
4227 1 secp256k1_ge mid1;
4228 1 secp256k1_ge mid2;
4229 1 random_scalar_order_test(&a);
4230 1 random_scalar_order_test(&b);
4231
4232 1 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
4233 1 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
4234 1 secp256k1_ge_set_gej(&mid1, &res1);
4235 1 secp256k1_ge_set_gej(&mid2, &res2);
4236 1 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
4237 1 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
4238 1 secp256k1_ge_set_gej(&mid1, &res1);
4239 1 secp256k1_ge_set_gej(&mid2, &res2);
4240 1 ge_equals_ge(&mid1, &mid2);
4241 1 }
4242
4243 1 void ecmult_const_mult_zero_one(void) {
4244 1 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4245 1 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4246 1 secp256k1_scalar negone;
4247 1 secp256k1_gej res1;
4248 1 secp256k1_ge res2;
4249 1 secp256k1_ge point;
4250 1 secp256k1_scalar_negate(&negone, &one);
4251
4252 1 random_group_element_test(&point);
4253 1 secp256k1_ecmult_const(&res1, &point, &zero, 3);
4254 1 secp256k1_ge_set_gej(&res2, &res1);
4255
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_ge_is_infinity(&res2));
4256 1 secp256k1_ecmult_const(&res1, &point, &one, 2);
4257 1 secp256k1_ge_set_gej(&res2, &res1);
4258 1 ge_equals_ge(&res2, &point);
4259 1 secp256k1_ecmult_const(&res1, &point, &negone, 256);
4260 1 secp256k1_gej_neg(&res1, &res1);
4261 1 secp256k1_ge_set_gej(&res2, &res1);
4262 1 ge_equals_ge(&res2, &point);
4263 1 }
4264
4265 1 void ecmult_const_chain_multiply(void) {
4266 /* Check known result (randomly generated test problem from sage) */
4267 1 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
4268 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4269 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4270 );
4271 1 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4272 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4273 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4274 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4275 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4276 );
4277 1 secp256k1_gej point;
4278 1 secp256k1_ge res;
4279 1 int i;
4280
4281 1 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
4282
2/2
✓ Branch 1 taken 100 times.
✓ Branch 2 taken 1 times.
102 for (i = 0; i < 100; ++i) {
4283 100 secp256k1_ge tmp;
4284 100 secp256k1_ge_set_gej(&tmp, &point);
4285 100 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
4286 }
4287 1 secp256k1_ge_set_gej(&res, &point);
4288 1 ge_equals_gej(&res, &expected_point);
4289 1 }
4290
4291 1 void run_ecmult_const_tests(void) {
4292 1 ecmult_const_mult_zero_one();
4293 1 ecmult_const_random_mult();
4294 1 ecmult_const_commutativity();
4295 1 ecmult_const_chain_multiply();
4296 1 }
4297
4298 typedef struct {
4299 secp256k1_scalar *sc;
4300 secp256k1_ge *pt;
4301 } ecmult_multi_data;
4302
4303 183543 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4304 183543 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4305 183543 *sc = data->sc[idx];
4306 183543 *pt = data->pt[idx];
4307 183543 return 1;
4308 }
4309
4310 320 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4311 320 (void)sc;
4312 320 (void)pt;
4313 320 (void)idx;
4314 320 (void)cbdata;
4315 320 return 0;
4316 }
4317
4318 5 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
4319 5 int ncount;
4320 5 secp256k1_scalar szero;
4321 5 secp256k1_scalar sc[32];
4322 5 secp256k1_ge pt[32];
4323 5 secp256k1_gej r;
4324 5 secp256k1_gej r2;
4325 5 ecmult_multi_data data;
4326
4327 5 data.sc = sc;
4328 5 data.pt = pt;
4329 5 secp256k1_scalar_set_int(&szero, 0);
4330
4331 /* No points to multiply */
4332
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 5 times.
5 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4333
4334 /* Check 1- and 2-point multiplies against ecmult */
4335
2/2
✓ Branch 0 taken 320 times.
✓ Branch 1 taken 5 times.
325 for (ncount = 0; ncount < count; ncount++) {
4336 320 secp256k1_ge ptg;
4337 320 secp256k1_gej ptgj;
4338 320 random_scalar_order(&sc[0]);
4339 320 random_scalar_order(&sc[1]);
4340
4341 320 random_group_element_test(&ptg);
4342 320 secp256k1_gej_set_ge(&ptgj, &ptg);
4343 320 pt[0] = ptg;
4344 320 pt[1] = secp256k1_ge_const_g;
4345
4346 /* only G scalar */
4347 320 secp256k1_ecmult(&r2, &ptgj, &szero, &sc[0]);
4348
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
320 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4349 320 secp256k1_gej_neg(&r2, &r2);
4350 320 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4351
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
320 CHECK(secp256k1_gej_is_infinity(&r));
4352
4353 /* 1-point */
4354 320 secp256k1_ecmult(&r2, &ptgj, &sc[0], &szero);
4355
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
320 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
4356 320 secp256k1_gej_neg(&r2, &r2);
4357 320 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4358
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
320 CHECK(secp256k1_gej_is_infinity(&r));
4359
4360 /* Try to multiply 1 point, but callback returns false */
4361
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
320 CHECK(!ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
4362
4363 /* 2-point */
4364 320 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4365
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
320 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
4366 320 secp256k1_gej_neg(&r2, &r2);
4367 320 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4368
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
320 CHECK(secp256k1_gej_is_infinity(&r));
4369
4370 /* 2-point with G scalar */
4371 320 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4372
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
320 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4373 320 secp256k1_gej_neg(&r2, &r2);
4374 320 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4375
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
320 CHECK(secp256k1_gej_is_infinity(&r));
4376 }
4377
4378 /* Check infinite outputs of various forms */
4379
2/2
✓ Branch 0 taken 320 times.
✓ Branch 1 taken 5 times.
325 for (ncount = 0; ncount < count; ncount++) {
4380 320 secp256k1_ge ptg;
4381 320 size_t i, j;
4382 320 size_t sizes[] = { 2, 10, 32 };
4383
4384
2/2
✓ Branch 0 taken 960 times.
✓ Branch 1 taken 320 times.
1280 for (j = 0; j < 3; j++) {
4385
2/2
✓ Branch 0 taken 30720 times.
✓ Branch 1 taken 960 times.
31680 for (i = 0; i < 32; i++) {
4386 30720 random_scalar_order(&sc[i]);
4387 30720 secp256k1_ge_set_infinity(&pt[i]);
4388 }
4389
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 960 times.
960 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4390
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 960 times.
960 CHECK(secp256k1_gej_is_infinity(&r));
4391 }
4392
4393
2/2
✓ Branch 0 taken 960 times.
✓ Branch 1 taken 320 times.
1280 for (j = 0; j < 3; j++) {
4394
2/2
✓ Branch 0 taken 30720 times.
✓ Branch 1 taken 960 times.
31680 for (i = 0; i < 32; i++) {
4395 30720 random_group_element_test(&ptg);
4396 30720 pt[i] = ptg;
4397 30720 secp256k1_scalar_set_int(&sc[i], 0);
4398 }
4399
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 960 times.
960 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4400
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 960 times.
960 CHECK(secp256k1_gej_is_infinity(&r));
4401 }
4402
4403
2/2
✓ Branch 0 taken 960 times.
✓ Branch 1 taken 320 times.
1280 for (j = 0; j < 3; j++) {
4404 960 random_group_element_test(&ptg);
4405
2/2
✓ Branch 1 taken 15360 times.
✓ Branch 2 taken 960 times.
17280 for (i = 0; i < 16; i++) {
4406 15360 random_scalar_order(&sc[2*i]);
4407 15360 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4408 15360 pt[2 * i] = ptg;
4409 15360 pt[2 * i + 1] = ptg;
4410 }
4411
4412
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 960 times.
960 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4413
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 960 times.
960 CHECK(secp256k1_gej_is_infinity(&r));
4414
4415 960 random_scalar_order(&sc[0]);
4416
2/2
✓ Branch 1 taken 15360 times.
✓ Branch 2 taken 960 times.
17280 for (i = 0; i < 16; i++) {
4417 15360 random_group_element_test(&ptg);
4418
4419 15360 sc[2*i] = sc[0];
4420 15360 sc[2*i+1] = sc[0];
4421 15360 pt[2 * i] = ptg;
4422 15360 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4423 }
4424
4425
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 960 times.
960 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4426
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 960 times.
960 CHECK(secp256k1_gej_is_infinity(&r));
4427 }
4428
4429 320 random_group_element_test(&ptg);
4430 320 secp256k1_scalar_set_int(&sc[0], 0);
4431 320 pt[0] = ptg;
4432
2/2
✓ Branch 0 taken 9920 times.
✓ Branch 1 taken 320 times.
10240 for (i = 1; i < 32; i++) {
4433 9920 pt[i] = ptg;
4434
4435 9920 random_scalar_order(&sc[i]);
4436 9920 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4437 9920 secp256k1_scalar_negate(&sc[i], &sc[i]);
4438 }
4439
4440
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
320 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
4441
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
320 CHECK(secp256k1_gej_is_infinity(&r));
4442 }
4443
4444 /* Check random points, constant scalar */
4445
2/2
✓ Branch 0 taken 320 times.
✓ Branch 1 taken 5 times.
325 for (ncount = 0; ncount < count; ncount++) {
4446 320 size_t i;
4447 320 secp256k1_gej_set_infinity(&r);
4448
4449 320 random_scalar_order(&sc[0]);
4450
2/2
✓ Branch 1 taken 6400 times.
✓ Branch 2 taken 320 times.
7040 for (i = 0; i < 20; i++) {
4451 6400 secp256k1_ge ptg;
4452 6400 sc[i] = sc[0];
4453 6400 random_group_element_test(&ptg);
4454 6400 pt[i] = ptg;
4455 6400 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
4456 }
4457
4458 320 secp256k1_ecmult(&r2, &r, &sc[0], &szero);
4459
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
320 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4460 320 secp256k1_gej_neg(&r2, &r2);
4461 320 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4462
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
320 CHECK(secp256k1_gej_is_infinity(&r));
4463 }
4464
4465 /* Check random scalars, constant point */
4466
2/2
✓ Branch 0 taken 320 times.
✓ Branch 1 taken 5 times.
325 for (ncount = 0; ncount < count; ncount++) {
4467 320 size_t i;
4468 320 secp256k1_ge ptg;
4469 320 secp256k1_gej p0j;
4470 320 secp256k1_scalar rs;
4471 320 secp256k1_scalar_set_int(&rs, 0);
4472
4473 320 random_group_element_test(&ptg);
4474
2/2
✓ Branch 1 taken 6400 times.
✓ Branch 2 taken 320 times.
7040 for (i = 0; i < 20; i++) {
4475 6400 random_scalar_order(&sc[i]);
4476 6400 pt[i] = ptg;
4477 6400 secp256k1_scalar_add(&rs, &rs, &sc[i]);
4478 }
4479
4480 320 secp256k1_gej_set_ge(&p0j, &pt[0]);
4481 320 secp256k1_ecmult(&r2, &p0j, &rs, &szero);
4482
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 320 times.
320 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4483 320 secp256k1_gej_neg(&r2, &r2);
4484 320 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4485
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 320 times.
320 CHECK(secp256k1_gej_is_infinity(&r));
4486 }
4487
4488 /* Sanity check that zero scalars don't cause problems */
4489
2/2
✓ Branch 0 taken 100 times.
✓ Branch 1 taken 5 times.
105 for (ncount = 0; ncount < 20; ncount++) {
4490 100 random_scalar_order(&sc[ncount]);
4491 100 random_group_element_test(&pt[ncount]);
4492 }
4493
4494 5 secp256k1_scalar_clear(&sc[0]);
4495
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 5 times.
5 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4496 5 secp256k1_scalar_clear(&sc[1]);
4497 5 secp256k1_scalar_clear(&sc[2]);
4498 5 secp256k1_scalar_clear(&sc[3]);
4499 5 secp256k1_scalar_clear(&sc[4]);
4500
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 5 times.
5 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
4501
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 5 times.
5 CHECK(ecmult_multi(&ctx->error_callback, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
4502
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 5 times.
5 CHECK(secp256k1_gej_is_infinity(&r));
4503
4504 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4505 {
4506 5 const size_t TOP = 8;
4507 5 size_t s0i, s1i;
4508 5 size_t t0i, t1i;
4509 5 secp256k1_ge ptg;
4510 5 secp256k1_gej ptgj;
4511
4512 5 random_group_element_test(&ptg);
4513 5 secp256k1_gej_set_ge(&ptgj, &ptg);
4514
4515
2/2
✓ Branch 1 taken 40 times.
✓ Branch 2 taken 5 times.
50 for(t0i = 0; t0i < TOP; t0i++) {
4516
2/2
✓ Branch 0 taken 320 times.
✓ Branch 1 taken 40 times.
360 for(t1i = 0; t1i < TOP; t1i++) {
4517 320 secp256k1_gej t0p, t1p;
4518 320 secp256k1_scalar t0, t1;
4519
4520 320 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
4521 320 secp256k1_scalar_cond_negate(&t0, t0i & 1);
4522 320 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
4523 320 secp256k1_scalar_cond_negate(&t1, t1i & 1);
4524
4525 320 secp256k1_ecmult(&t0p, &ptgj, &t0, &szero);
4526 320 secp256k1_ecmult(&t1p, &ptgj, &t1, &szero);
4527
4528
2/2
✓ Branch 1 taken 2560 times.
✓ Branch 2 taken 320 times.
3200 for(s0i = 0; s0i < TOP; s0i++) {
4529
2/2
✓ Branch 0 taken 20480 times.
✓ Branch 1 taken 2560 times.
23040 for(s1i = 0; s1i < TOP; s1i++) {
4530 20480 secp256k1_scalar tmp1, tmp2;
4531 20480 secp256k1_gej expected, actual;
4532
4533 20480 secp256k1_ge_set_gej(&pt[0], &t0p);
4534 20480 secp256k1_ge_set_gej(&pt[1], &t1p);
4535
4536 20480 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
4537 20480 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
4538 20480 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
4539 20480 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
4540
4541 20480 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
4542 20480 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
4543 20480 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
4544
4545 20480 secp256k1_ecmult(&expected, &ptgj, &tmp1, &szero);
4546
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 20480 times.
20480 CHECK(ecmult_multi(&ctx->error_callback, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
4547 20480 secp256k1_gej_neg(&expected, &expected);
4548 20480 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
4549
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 20480 times.
20480 CHECK(secp256k1_gej_is_infinity(&actual));
4550 }
4551 }
4552 }
4553 }
4554 }
4555 5 }
4556
4557 1442 int test_ecmult_multi_random(secp256k1_scratch *scratch) {
4558 /* Large random test for ecmult_multi_* functions which exercises:
4559 * - Few or many inputs (0 up to 128, roughly exponentially distributed).
4560 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
4561 * - Including or excluding an nonzero a*G term (or such a term at all).
4562 * - Final expected result equal to infinity or not (roughly 50%).
4563 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
4564 */
4565
4566 /* These 4 variables define the eventual input to the ecmult_multi function.
4567 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
4568 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
4569 * which form its normal inputs. */
4570 1442 int filled = 0;
4571 1442 secp256k1_scalar g_scalar = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4572 1442 secp256k1_scalar scalars[128];
4573 1442 secp256k1_gej gejs[128];
4574 /* The expected result, and the computed result. */
4575 1442 secp256k1_gej expected, computed;
4576 /* Temporaries. */
4577 1442 secp256k1_scalar sc_tmp;
4578 1442 secp256k1_ge ge_tmp;
4579 /* Variables needed for the actual input to ecmult_multi. */
4580 1442 secp256k1_ge ges[128];
4581 1442 ecmult_multi_data data;
4582
4583 1442 int i;
4584 /* Which multiplication function to use */
4585 1442 int fn = secp256k1_testrand_int(3);
4586
2/2
✓ Branch 0 taken 985 times.
✓ Branch 1 taken 457 times.
1442 secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
4587
2/2
✓ Branch 0 taken 509 times.
✓ Branch 1 taken 476 times.
985 fn == 1 ? secp256k1_ecmult_strauss_batch_single :
4588 secp256k1_ecmult_pippenger_batch_single;
4589 /* Simulate exponentially distributed num. */
4590 1442 int num_bits = 2 + secp256k1_testrand_int(6);
4591 /* Number of (scalar, point) inputs (excluding g). */
4592 1442 int num = secp256k1_testrand_int((1 << num_bits) + 1);
4593 /* Number of those which are nonzero. */
4594 1442 int num_nonzero = secp256k1_testrand_int(num + 1);
4595 /* Whether we're aiming to create an input with nonzero expected result. */
4596 1442 int nonzero_result = secp256k1_testrand_bits(1);
4597 /* Whether we will provide nonzero g multiplicand. In some cases our hand
4598 * is forced here based on num_nonzero and nonzero_result. */
4599
2/2
✓ Branch 0 taken 1150 times.
✓ Branch 1 taken 292 times.
1442 int g_nonzero = num_nonzero == 0 ? nonzero_result :
4600
2/2
✓ Branch 0 taken 1052 times.
✓ Branch 1 taken 98 times.
2202 num_nonzero == 1 && !nonzero_result ? 1 :
4601 1052 (int)secp256k1_testrand_bits(1);
4602 /* Which g_scalar pointer to pass into ecmult_multi(). */
4603
4/4
✓ Branch 0 taken 678 times.
✓ Branch 1 taken 666 times.
✓ Branch 3 taken 364 times.
✓ Branch 4 taken 314 times.
1344 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || secp256k1_testrand_bits(1)) ? &g_scalar : NULL;
4604 /* How many EC multiplications were performed in this function. */
4605 1442 int mults = 0;
4606 /* How many randomization steps to apply to the input list. */
4607 1442 int rands = (int)secp256k1_testrand_bits(3);
4608 1442 if (rands > num_nonzero) rands = num_nonzero;
4609
4610 1442 secp256k1_gej_set_infinity(&expected);
4611 1442 secp256k1_gej_set_infinity(&gejs[0]);
4612
2/2
✓ Branch 0 taken 678 times.
✓ Branch 1 taken 764 times.
1442 secp256k1_scalar_set_int(&scalars[0], 0);
4613
4614
2/2
✓ Branch 0 taken 678 times.
✓ Branch 1 taken 764 times.
1442 if (g_nonzero) {
4615 /* If g_nonzero, set g_scalar to nonzero value r. */
4616 764 random_scalar_order_test(&g_scalar);
4617
2/2
✓ Branch 0 taken 428 times.
✓ Branch 1 taken 336 times.
764 if (!nonzero_result) {
4618 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
4619
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 336 times.
336 CHECK(num_nonzero > filled);
4620 336 random_scalar_order_test(&sc_tmp);
4621 336 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
4622 336 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
4623 336 secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
4624 336 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
4625 336 ++filled;
4626 336 ++mults;
4627 }
4628 }
4629
4630
2/2
✓ Branch 0 taken 574 times.
✓ Branch 1 taken 868 times.
1442 if (nonzero_result && filled < num_nonzero) {
4631 /* If a nonzero result is desired, and there is space, add a random nonzero term. */
4632 574 random_scalar_order_test(&scalars[filled]);
4633 574 random_group_element_test(&ge_tmp);
4634 574 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4635 574 ++filled;
4636 }
4637
4638
2/2
✓ Branch 0 taken 724 times.
✓ Branch 1 taken 718 times.
1442 if (nonzero_result) {
4639 /* Compute the expected result using normal ecmult. */
4640
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 724 times.
724 CHECK(filled <= 1);
4641 724 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
4642 724 mults += filled + g_nonzero;
4643 }
4644
4645 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
4646
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1442 times.
1442 CHECK(filled <= 1 + !nonzero_result);
4647
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1442 times.
1442 CHECK(filled <= num_nonzero);
4648
4649 /* Add entries to scalars,gejs so that there are num of them. All the added entries
4650 * either have scalar=0 or point=infinity, so these do not change the expected result. */
4651
2/2
✓ Branch 0 taken 29550 times.
✓ Branch 1 taken 1442 times.
30992 while (filled < num) {
4652
2/2
✓ Branch 1 taken 14863 times.
✓ Branch 2 taken 14687 times.
29550 if (secp256k1_testrand_bits(1)) {
4653 14863 secp256k1_gej_set_infinity(&gejs[filled]);
4654 14863 random_scalar_order_test(&scalars[filled]);
4655 } else {
4656 14687 secp256k1_scalar_set_int(&scalars[filled], 0);
4657 14687 random_group_element_test(&ge_tmp);
4658 14687 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
4659 }
4660 29550 ++filled;
4661 }
4662
4663 /* Now perform cheapish transformations on gejs and scalars, for indices
4664 * 0..num_nonzero-1, which do not change the expected result, but may
4665 * convert some of them to be both non-0-scalar and non-infinity-point. */
4666
2/2
✓ Branch 0 taken 3079 times.
✓ Branch 1 taken 1442 times.
4521 for (i = 0; i < rands; ++i) {
4667 int j;
4668 secp256k1_scalar v, iv;
4669 /* Shuffle the entries. */
4670
2/2
✓ Branch 0 taken 49979 times.
✓ Branch 1 taken 3079 times.
53058 for (j = 0; j < num_nonzero; ++j) {
4671 49979 int k = secp256k1_testrand_int(num_nonzero - j);
4672
2/2
✓ Branch 0 taken 41213 times.
✓ Branch 1 taken 8766 times.
49979 if (k != 0) {
4673 41213 secp256k1_gej gej = gejs[j];
4674 41213 secp256k1_scalar sc = scalars[j];
4675 41213 gejs[j] = gejs[j + k];
4676 41213 scalars[j] = scalars[j + k];
4677 41213 gejs[j + k] = gej;
4678 41213 scalars[j + k] = sc;
4679 }
4680 }
4681 /* Perturb all consecutive pairs of inputs:
4682 * a*P + b*Q -> (a+b)*P + b*(Q-P). */
4683
2/2
✓ Branch 0 taken 24202 times.
✓ Branch 1 taken 3079 times.
27281 for (j = 0; j + 1 < num_nonzero; j += 2) {
4684 24202 secp256k1_gej gej;
4685 24202 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
4686 24202 secp256k1_gej_neg(&gej, &gejs[j]);
4687 24202 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
4688 }
4689 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
4690
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 3079 times.
3079 CHECK(num_nonzero >= 1);
4691 3079 random_scalar_order_test(&v);
4692 3079 secp256k1_scalar_inverse(&iv, &v);
4693 3079 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
4694 3079 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
4695 3079 ++mults;
4696 }
4697
4698 /* Shuffle all entries (0..num-1). */
4699
2/2
✓ Branch 0 taken 30460 times.
✓ Branch 1 taken 1442 times.
31902 for (i = 0; i < num; ++i) {
4700 30460 int j = secp256k1_testrand_int(num - i);
4701
2/2
✓ Branch 0 taken 26444 times.
✓ Branch 1 taken 4016 times.
30460 if (j != 0) {
4702 26444 secp256k1_gej gej = gejs[i];
4703 26444 secp256k1_scalar sc = scalars[i];
4704 26444 gejs[i] = gejs[i + j];
4705 26444 scalars[i] = scalars[i + j];
4706 26444 gejs[i + j] = gej;
4707 26444 scalars[i + j] = sc;
4708 }
4709 }
4710
4711 /* Compute affine versions of all inputs. */
4712 1442 secp256k1_ge_set_all_gej_var(ges, gejs, filled);
4713 /* Invoke ecmult_multi code. */
4714 1442 data.sc = scalars;
4715 1442 data.pt = ges;
4716
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1442 times.
1442 CHECK(ecmult_multi(&ctx->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
4717 1442 mults += num_nonzero + g_nonzero;
4718 /* Compare with expected result. */
4719 1442 secp256k1_gej_neg(&computed, &computed);
4720 1442 secp256k1_gej_add_var(&computed, &computed, &expected, NULL);
4721
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1442 times.
1442 CHECK(secp256k1_gej_is_infinity(&computed));
4722 1442 return mults;
4723 }
4724
4725 2 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
4726 2 secp256k1_scalar szero;
4727 2 secp256k1_scalar sc;
4728 2 secp256k1_ge pt;
4729 2 secp256k1_gej r;
4730 2 ecmult_multi_data data;
4731 2 secp256k1_scratch *scratch_empty;
4732
4733 2 random_group_element_test(&pt);
4734 2 random_scalar_order(&sc);
4735 2 data.sc = &sc;
4736 2 data.pt = &pt;
4737 2 secp256k1_scalar_set_int(&szero, 0);
4738
4739 /* Try to multiply 1 point, but scratch space is empty.*/
4740 2 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
4741
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(!ecmult_multi(&ctx->error_callback, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
4742 2 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
4743 2 }
4744
4745 1 void test_secp256k1_pippenger_bucket_window_inv(void) {
4746 1 int i;
4747
4748 1 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
4749
2/2
✓ Branch 0 taken 12 times.
✓ Branch 1 taken 1 times.
13 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
4750 /* Bucket_window of 8 is not used with endo */
4751
2/2
✓ Branch 0 taken 1 times.
✓ Branch 1 taken 11 times.
12 if (i == 8) {
4752 1 continue;
4753 }
4754
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 11 times.
11 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
4755
2/2
✓ Branch 0 taken 10 times.
✓ Branch 1 taken 1 times.
11 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
4756
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
12 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
4757 }
4758 }
4759 1 }
4760
4761 /**
4762 * Probabilistically test the function returning the maximum number of possible points
4763 * for a given scratch space.
4764 */
4765 1 void test_ecmult_multi_pippenger_max_points(void) {
4766 1 size_t scratch_size = secp256k1_testrand_bits(8);
4767 1 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
4768 secp256k1_scratch *scratch;
4769 size_t n_points_supported;
4770 int bucket_window = 0;
4771
4772
2/2
✓ Branch 0 taken 25340 times.
✓ Branch 1 taken 1 times.
25341 for(; scratch_size < max_size; scratch_size+=256) {
4773 25340 size_t i;
4774 25340 size_t total_alloc;
4775 25340 size_t checkpoint;
4776 25340 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
4777
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 25340 times.
25340 CHECK(scratch != NULL);
4778 25340 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
4779 25340 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
4780
2/2
✓ Branch 0 taken 8 times.
✓ Branch 1 taken 25332 times.
25340 if (n_points_supported == 0) {
4781 8 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4782 8 continue;
4783 }
4784 25332 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
4785 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
4786 25332 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
4787
2/2
✓ Branch 0 taken 126660 times.
✓ Branch 1 taken 25332 times.
151992 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
4788
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 126660 times.
126660 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
4789 126660 total_alloc--;
4790 }
4791
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 25332 times.
25332 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
4792 25332 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
4793 25332 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4794 }
4795
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
4796 1 }
4797
4798 void test_ecmult_multi_batch_size_helper(void) {
4799 size_t n_batches, n_batch_points, max_n_batch_points, n;
4800
4801 max_n_batch_points = 0;
4802 n = 1;
4803 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
4804
4805 max_n_batch_points = 1;
4806 n = 0;
4807 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4808 CHECK(n_batches == 0);
4809 CHECK(n_batch_points == 0);
4810
4811 max_n_batch_points = 2;
4812 n = 5;
4813 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4814 CHECK(n_batches == 3);
4815 CHECK(n_batch_points == 2);
4816
4817 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
4818 n = ECMULT_MAX_POINTS_PER_BATCH;
4819 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4820 CHECK(n_batches == 1);
4821 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
4822
4823 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
4824 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
4825 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4826 CHECK(n_batches == 2);
4827 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
4828
4829 max_n_batch_points = 1;
4830 n = SIZE_MAX;
4831 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4832 CHECK(n_batches == SIZE_MAX);
4833 CHECK(n_batch_points == 1);
4834
4835 1 max_n_batch_points = 2;
4836 1 n = SIZE_MAX;
4837 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4838 CHECK(n_batches == SIZE_MAX/2 + 1);
4839 CHECK(n_batch_points == 2);
4840 }
4841
4842 /**
4843 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
4844 * 1 <= i <= num points.
4845 */
4846 1 void test_ecmult_multi_batching(void) {
4847 1 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
4848 1 secp256k1_scalar scG;
4849 1 secp256k1_scalar szero;
4850 1 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
4851 1 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
4852 1 secp256k1_gej r;
4853 1 secp256k1_gej r2;
4854 1 ecmult_multi_data data;
4855 1 int i;
4856 1 secp256k1_scratch *scratch;
4857
4858 1 secp256k1_gej_set_infinity(&r2);
4859 1 secp256k1_scalar_set_int(&szero, 0);
4860
4861 /* Get random scalars and group elements and compute result */
4862 1 random_scalar_order(&scG);
4863 1 secp256k1_ecmult(&r2, &r2, &szero, &scG);
4864
2/2
✓ Branch 1 taken 176 times.
✓ Branch 2 taken 1 times.
178 for(i = 0; i < n_points; i++) {
4865 176 secp256k1_ge ptg;
4866 176 secp256k1_gej ptgj;
4867 176 random_group_element_test(&ptg);
4868 176 secp256k1_gej_set_ge(&ptgj, &ptg);
4869 176 pt[i] = ptg;
4870 176 random_scalar_order(&sc[i]);
4871 176 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
4872 176 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
4873 }
4874 1 data.sc = sc;
4875 1 data.pt = pt;
4876 1 secp256k1_gej_neg(&r2, &r2);
4877
4878 /* Test with empty scratch space. It should compute the correct result using
4879 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
4880 1 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
4881
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4882 1 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4883
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_gej_is_infinity(&r));
4884 1 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4885
4886 /* Test with space for 1 point in pippenger. That's not enough because
4887 * ecmult_multi selects strauss which requires more memory. It should
4888 * therefore select the simple algorithm. */
4889 1 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
4890
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4891 1 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4892
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_gej_is_infinity(&r));
4893 1 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4894
4895
2/2
✓ Branch 1 taken 176 times.
✓ Branch 2 taken 1 times.
178 for(i = 1; i <= n_points; i++) {
4896
2/2
✓ Branch 0 taken 88 times.
✓ Branch 1 taken 88 times.
176 if (i > ECMULT_PIPPENGER_THRESHOLD) {
4897 88 int bucket_window = secp256k1_pippenger_bucket_window(i);
4898 88 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
4899 88 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
4900 } else {
4901 88 size_t scratch_size = secp256k1_strauss_scratch_size(i);
4902 88 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
4903 }
4904
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 176 times.
176 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4905 176 secp256k1_gej_add_var(&r, &r, &r2, NULL);
4906
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 176 times.
176 CHECK(secp256k1_gej_is_infinity(&r));
4907 176 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4908 }
4909 1 free(sc);
4910 1 free(pt);
4911 1 }
4912
4913 1 void run_ecmult_multi_tests(void) {
4914 1 secp256k1_scratch *scratch;
4915 1 int64_t todo = (int64_t)320 * count;
4916
4917 1 test_secp256k1_pippenger_bucket_window_inv();
4918 1 test_ecmult_multi_pippenger_max_points();
4919 1 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
4920 1 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
4921 1 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
4922 1 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
4923 1 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
4924 1 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
4925 1 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
4926
2/2
✓ Branch 1 taken 1442 times.
✓ Branch 2 taken 1 times.
1443 while (todo > 0) {
4927 1442 todo -= test_ecmult_multi_random(scratch);
4928 }
4929 1 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4930
4931 /* Run test_ecmult_multi with space for exactly one point */
4932 1 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
4933 1 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
4934 1 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
4935
4936 1 test_ecmult_multi_batch_size_helper();
4937 1 test_ecmult_multi_batching();
4938 1 }
4939
4940 64 void test_wnaf(const secp256k1_scalar *number, int w) {
4941 64 secp256k1_scalar x, two, t;
4942 64 int wnaf[256];
4943 64 int zeroes = -1;
4944 64 int i;
4945 64 int bits;
4946 64 secp256k1_scalar_set_int(&x, 0);
4947 64 secp256k1_scalar_set_int(&two, 2);
4948 64 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
4949
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64 times.
64 CHECK(bits <= 256);
4950
2/2
✓ Branch 0 taken 16120 times.
✓ Branch 1 taken 64 times.
16184 for (i = bits-1; i >= 0; i--) {
4951 16120 int v = wnaf[i];
4952 16120 secp256k1_scalar_mul(&x, &x, &two);
4953
2/2
✓ Branch 0 taken 1976 times.
✓ Branch 1 taken 14144 times.
16120 if (v) {
4954
3/4
✓ Branch 0 taken 1912 times.
✓ Branch 1 taken 64 times.
✗ Branch 2 not taken.
✓ Branch 3 taken 1912 times.
1976 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4955 1976 zeroes=0;
4956
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1976 times.
1976 CHECK((v & 1) == 1); /* check non-zero elements are odd */
4957
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1976 times.
1976 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
4958
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1976 times.
1976 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4959 } else {
4960
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 14144 times.
14144 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4961 14144 zeroes++;
4962 }
4963
2/2
✓ Branch 0 taken 15123 times.
✓ Branch 1 taken 997 times.
16120 if (v >= 0) {
4964 15123 secp256k1_scalar_set_int(&t, v);
4965 } else {
4966 997 secp256k1_scalar_set_int(&t, -v);
4967 997 secp256k1_scalar_negate(&t, &t);
4968 }
4969 16120 secp256k1_scalar_add(&x, &x, &t);
4970 }
4971
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64 times.
64 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4972 64 }
4973
4974 64 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
4975 64 secp256k1_scalar neg1 = *number;
4976 64 secp256k1_scalar neg2 = *number;
4977 64 int sign1 = 1;
4978 64 int sign2 = 1;
4979
4980
2/2
✓ Branch 0 taken 26 times.
✓ Branch 1 taken 38 times.
64 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
4981 26 secp256k1_scalar_negate(&neg1, &neg1);
4982 26 sign1 = -1;
4983 }
4984 64 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
4985
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64 times.
64 CHECK(sign1 == sign2);
4986
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64 times.
64 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
4987 64 }
4988
4989 71 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
4990 71 secp256k1_scalar x, shift;
4991 71 int wnaf[256] = {0};
4992 71 int i;
4993 71 int skew;
4994 71 int bits = 256;
4995 71 secp256k1_scalar num = *number;
4996 71 secp256k1_scalar scalar_skew;
4997
4998 71 secp256k1_scalar_set_int(&x, 0);
4999 71 secp256k1_scalar_set_int(&shift, 1 << w);
5000
2/2
✓ Branch 0 taken 1136 times.
✓ Branch 1 taken 71 times.
1207 for (i = 0; i < 16; ++i) {
5001 1136 secp256k1_scalar_shr_int(&num, 8);
5002 }
5003 71 bits = 128;
5004 71 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
5005
5006
2/2
✓ Branch 0 taken 1450 times.
✓ Branch 1 taken 71 times.
1521 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
5007 1450 secp256k1_scalar t;
5008 1450 int v = wnaf[i];
5009
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1450 times.
1450 CHECK(v != 0); /* check nonzero */
5010
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1450 times.
1450 CHECK(v & 1); /* check parity */
5011
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1450 times.
1450 CHECK(v > -(1 << w)); /* check range above */
5012
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1450 times.
1450 CHECK(v < (1 << w)); /* check range below */
5013
5014 1450 secp256k1_scalar_mul(&x, &x, &shift);
5015
2/2
✓ Branch 0 taken 770 times.
✓ Branch 1 taken 680 times.
1450 if (v >= 0) {
5016 770 secp256k1_scalar_set_int(&t, v);
5017 } else {
5018 680 secp256k1_scalar_set_int(&t, -v);
5019 680 secp256k1_scalar_negate(&t, &t);
5020 }
5021 1450 secp256k1_scalar_add(&x, &x, &t);
5022 }
5023 /* Skew num because when encoding numbers as odd we use an offset */
5024 71 secp256k1_scalar_set_int(&scalar_skew, skew);
5025 71 secp256k1_scalar_add(&num, &num, &scalar_skew);
5026
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 71 times.
71 CHECK(secp256k1_scalar_eq(&x, &num));
5027 71 }
5028
5029 64 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5030 64 secp256k1_scalar x, shift;
5031 64 int wnaf[256] = {0};
5032 64 int i;
5033 64 int skew;
5034 64 secp256k1_scalar num = *number;
5035
5036 64 secp256k1_scalar_set_int(&x, 0);
5037 64 secp256k1_scalar_set_int(&shift, 1 << w);
5038
2/2
✓ Branch 0 taken 1024 times.
✓ Branch 1 taken 64 times.
1088 for (i = 0; i < 16; ++i) {
5039 1024 secp256k1_scalar_shr_int(&num, 8);
5040 }
5041 64 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5042
5043
2/2
✓ Branch 0 taken 1155 times.
✓ Branch 1 taken 64 times.
1219 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5044 1155 secp256k1_scalar t;
5045 1155 int v = wnaf[i];
5046
3/4
✓ Branch 0 taken 1129 times.
✓ Branch 1 taken 26 times.
✗ Branch 2 not taken.
✓ Branch 3 taken 1129 times.
1155 CHECK(v == 0 || v & 1); /* check parity */
5047
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1155 times.
1155 CHECK(v > -(1 << w)); /* check range above */
5048
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1155 times.
1155 CHECK(v < (1 << w)); /* check range below */
5049
5050 1155 secp256k1_scalar_mul(&x, &x, &shift);
5051
2/2
✓ Branch 0 taken 656 times.
✓ Branch 1 taken 499 times.
1155 if (v >= 0) {
5052 656 secp256k1_scalar_set_int(&t, v);
5053 } else {
5054 499 secp256k1_scalar_set_int(&t, -v);
5055 499 secp256k1_scalar_negate(&t, &t);
5056 }
5057 1155 secp256k1_scalar_add(&x, &x, &t);
5058 }
5059 /* If skew is 1 then add 1 to num */
5060 64 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5061
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 64 times.
64 CHECK(secp256k1_scalar_eq(&x, &num));
5062 64 }
5063
5064 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5065 * rest is 0.*/
5066 4 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5067 4 int i;
5068
2/2
✓ Branch 0 taken 96 times.
✓ Branch 1 taken 4 times.
100 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5069
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 96 times.
96 CHECK(wnaf[i] == 0);
5070 }
5071
2/2
✓ Branch 0 taken 32 times.
✓ Branch 1 taken 4 times.
36 for (i = 7; i >= 0; --i) {
5072
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
32 CHECK(wnaf[i] == wnaf_expected[i]);
5073 }
5074 4 }
5075
5076 1 void test_fixed_wnaf_small(void) {
5077 1 int w = 4;
5078 1 int wnaf[256] = {0};
5079 1 int i;
5080 1 int skew;
5081 1 secp256k1_scalar num;
5082
5083 1 secp256k1_scalar_set_int(&num, 0);
5084 1 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5085
2/2
✓ Branch 1 taken 32 times.
✓ Branch 2 taken 1 times.
34 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5086 32 int v = wnaf[i];
5087
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 32 times.
32 CHECK(v == 0);
5088 }
5089
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(skew == 0);
5090
5091 1 secp256k1_scalar_set_int(&num, 1);
5092 1 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5093
2/2
✓ Branch 1 taken 31 times.
✓ Branch 2 taken 1 times.
33 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5094 31 int v = wnaf[i];
5095
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 31 times.
31 CHECK(v == 0);
5096 }
5097
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(wnaf[0] == 1);
5098
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(skew == 0);
5099
5100 {
5101 1 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5102 1 secp256k1_scalar_set_int(&num, 0xffffffff);
5103 1 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5104 1 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5105
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(skew == 0);
5106 }
5107 {
5108 1 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5109 1 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5110 1 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5111 1 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5112
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(skew == 1);
5113 }
5114 {
5115 1 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5116 1 secp256k1_scalar_set_int(&num, 0x01010101);
5117 1 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5118 1 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5119
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(skew == 0);
5120 }
5121 {
5122 1 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5123 1 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5124 1 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5125 1 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5126
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(skew == 0);
5127 }
5128 1 }
5129
5130 1 void run_wnaf(void) {
5131 1 int i;
5132 1 secp256k1_scalar n = {{0}};
5133
5134 1 test_constant_wnaf(&n, 4);
5135 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
5136 * have easier-to-diagnose failure modes */
5137 1 n.d[0] = 1;
5138 1 test_constant_wnaf(&n, 4);
5139 1 n.d[0] = 2;
5140 1 test_constant_wnaf(&n, 4);
5141 /* Test -1, because it's a special case in wnaf_const */
5142 1 n = secp256k1_scalar_one;
5143 1 secp256k1_scalar_negate(&n, &n);
5144 1 test_constant_wnaf(&n, 4);
5145
5146 /* Test -2, which may not lead to overflows in wnaf_const */
5147 1 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
5148 1 secp256k1_scalar_negate(&n, &n);
5149 1 test_constant_wnaf(&n, 4);
5150
5151 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
5152 as corner cases of negation handling in wnaf_const */
5153 1 secp256k1_scalar_inverse(&n, &n);
5154 1 test_constant_wnaf(&n, 4);
5155
5156 1 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
5157 1 test_constant_wnaf(&n, 4);
5158
5159 /* Test 0 for fixed wnaf */
5160 1 test_fixed_wnaf_small();
5161 /* Random tests */
5162
2/2
✓ Branch 1 taken 64 times.
✓ Branch 2 taken 1 times.
66 for (i = 0; i < count; i++) {
5163 64 random_scalar_order(&n);
5164 64 test_wnaf(&n, 4+(i%10));
5165 64 test_constant_wnaf_negate(&n);
5166 64 test_constant_wnaf(&n, 4 + (i % 10));
5167 64 test_fixed_wnaf(&n, 4 + (i % 10));
5168 }
5169 1 secp256k1_scalar_set_int(&n, 0);
5170
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5171
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_is_zero(&n));
5172
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
5173
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_is_zero(&n));
5174 1 }
5175
5176 35920 static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5177 35920 const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5178 35920 *sc = *indata;
5179 35920 *pt = secp256k1_ge_const_g;
5180
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 35920 times.
35920 CHECK(idx == 0);
5181 35920 return 1;
5182 }
5183
5184 35920 void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) {
5185 /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */
5186 35920 secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj;
5187 35920 secp256k1_ge r;
5188 35920 const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5189 35920 unsigned char bytes[65];
5190 35920 size_t size = 65;
5191 35920 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
5192 35920 secp256k1_gej_set_infinity(&infj);
5193 35920 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj1, x);
5194 35920 secp256k1_ecmult(&rj2, &gj, x, &zero);
5195 35920 secp256k1_ecmult(&rj3, &infj, &zero, x);
5196 35920 secp256k1_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0);
5197 35920 secp256k1_ecmult_multi_var(NULL, scratch, &rj5, &zero, test_ecmult_accumulate_cb, (void*)x, 1);
5198 35920 secp256k1_ecmult_const(&rj6, &secp256k1_ge_const_g, x, 256);
5199 35920 secp256k1_ge_set_gej_var(&r, &rj1);
5200 35920 ge_equals_gej(&r, &rj2);
5201 35920 ge_equals_gej(&r, &rj3);
5202 35920 ge_equals_gej(&r, &rj4);
5203 35920 ge_equals_gej(&r, &rj5);
5204 35920 ge_equals_gej(&r, &rj6);
5205
2/2
✓ Branch 0 taken 4 times.
✓ Branch 1 taken 35916 times.
35920 if (secp256k1_ge_is_infinity(&r)) {
5206 /* Store infinity as 0x00 */
5207 4 const unsigned char zerobyte[1] = {0};
5208 4 secp256k1_sha256_write(acc, zerobyte, 1);
5209 } else {
5210 /* Store other points using their uncompressed serialization. */
5211 35916 secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0);
5212
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 35916 times.
35916 CHECK(size == 65);
5213 35916 secp256k1_sha256_write(acc, bytes, size);
5214 }
5215 35920 }
5216
5217 1 void test_ecmult_constants_2bit(void) {
5218 /* Using test_ecmult_accumulate, test ecmult for:
5219 * - For i in 0..36:
5220 * - Key i
5221 * - Key -i
5222 * - For i in 0..255:
5223 * - For j in 1..255 (only odd values):
5224 * - Key (j*2^i) mod order
5225 */
5226 1 secp256k1_scalar x;
5227 1 secp256k1_sha256 acc;
5228 1 unsigned char b32[32];
5229 1 int i, j;
5230 1 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 65536);
5231
5232 /* Expected hash of all the computed points; created with an independent
5233 * implementation. */
5234 1 static const unsigned char expected32[32] = {
5235 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5236 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5237 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5238 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5239 };
5240 1 secp256k1_sha256_initialize(&acc);
5241
2/2
✓ Branch 0 taken 37 times.
✓ Branch 1 taken 1 times.
38 for (i = 0; i <= 36; ++i) {
5242 37 secp256k1_scalar_set_int(&x, i);
5243 37 test_ecmult_accumulate(&acc, &x, scratch);
5244 37 secp256k1_scalar_negate(&x, &x);
5245 37 test_ecmult_accumulate(&acc, &x, scratch);
5246 };
5247
2/2
✓ Branch 0 taken 256 times.
✓ Branch 1 taken 1 times.
257 for (i = 0; i < 256; ++i) {
5248
2/2
✓ Branch 0 taken 32768 times.
✓ Branch 1 taken 256 times.
33024 for (j = 1; j < 256; j += 2) {
5249 32768 int k;
5250 32768 secp256k1_scalar_set_int(&x, j);
5251
2/2
✓ Branch 1 taken 4177920 times.
✓ Branch 2 taken 32768 times.
4210688 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5252 32768 test_ecmult_accumulate(&acc, &x, scratch);
5253 }
5254 }
5255 1 secp256k1_sha256_finalize(&acc, b32);
5256
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5257
5258 1 secp256k1_scratch_space_destroy(ctx, scratch);
5259 1 }
5260
5261 2 void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5262 /* Using test_ecmult_accumulate, test ecmult for:
5263 * - Key 0
5264 * - Key 1
5265 * - Key -1
5266 * - For i in range(iter):
5267 * - Key SHA256(LE32(prefix) || LE16(i))
5268 */
5269 2 secp256k1_scalar x;
5270 2 secp256k1_sha256 acc;
5271 2 unsigned char b32[32];
5272 2 unsigned char inp[6];
5273 2 size_t i;
5274 2 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(ctx, 65536);
5275
5276 2 inp[0] = prefix & 0xFF;
5277 2 inp[1] = (prefix >> 8) & 0xFF;
5278 2 inp[2] = (prefix >> 16) & 0xFF;
5279 2 inp[3] = (prefix >> 24) & 0xFF;
5280 2 secp256k1_sha256_initialize(&acc);
5281 2 secp256k1_scalar_set_int(&x, 0);
5282 2 test_ecmult_accumulate(&acc, &x, scratch);
5283 2 secp256k1_scalar_set_int(&x, 1);
5284 2 test_ecmult_accumulate(&acc, &x, scratch);
5285 2 secp256k1_scalar_negate(&x, &x);
5286 2 test_ecmult_accumulate(&acc, &x, scratch);
5287
5288
2/2
✓ Branch 1 taken 3072 times.
✓ Branch 2 taken 2 times.
3076 for (i = 0; i < iter; ++i) {
5289 3072 secp256k1_sha256 gen;
5290 3072 inp[4] = i & 0xff;
5291 3072 inp[5] = (i >> 8) & 0xff;
5292 3072 secp256k1_sha256_initialize(&gen);
5293 3072 secp256k1_sha256_write(&gen, inp, sizeof(inp));
5294 3072 secp256k1_sha256_finalize(&gen, b32);
5295 3072 secp256k1_scalar_set_b32(&x, b32, NULL);
5296 3072 test_ecmult_accumulate(&acc, &x, scratch);
5297 }
5298 2 secp256k1_sha256_finalize(&acc, b32);
5299
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
4 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5300
5301 2 secp256k1_scratch_space_destroy(ctx, scratch);
5302 2 }
5303
5304 1 void run_ecmult_constants(void) {
5305 /* Expected hashes of all points in the tests below. Computed using an
5306 * independent implementation. */
5307 1 static const unsigned char expected32_6bit20[32] = {
5308 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5309 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5310 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5311 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5312 };
5313 1 static const unsigned char expected32_8bit8[32] = {
5314 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5315 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5316 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5317 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5318 };
5319 /* For every combination of 6 bit positions out of 256, restricted to
5320 * 20-bit windows (i.e., the first and last bit position are no more than
5321 * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5322 * this test. */
5323
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5324 1 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5325 }
5326
5327 /* For every combination of 8 consecutive bit positions, all 256 bit
5328 * patterns occur in the input scalars used in this test. */
5329
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5330 1 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5331 }
5332
5333
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") {
5334 1 test_ecmult_constants_2bit();
5335 }
5336 1 }
5337
5338 10 void test_ecmult_gen_blind(void) {
5339 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5340 10 secp256k1_scalar key;
5341 10 secp256k1_scalar b;
5342 10 unsigned char seed32[32];
5343 10 secp256k1_gej pgej;
5344 10 secp256k1_gej pgej2;
5345 10 secp256k1_gej i;
5346 10 secp256k1_ge pge;
5347 10 random_scalar_order_test(&key);
5348 10 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
5349 10 secp256k1_testrand256(seed32);
5350 10 b = ctx->ecmult_gen_ctx.blind;
5351 10 i = ctx->ecmult_gen_ctx.initial;
5352 10 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
5353
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
10 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
5354 10 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
5355
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
10 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5356
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 10 times.
10 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
5357 10 secp256k1_ge_set_gej(&pge, &pgej);
5358 10 ge_equals_gej(&pge, &pgej2);
5359 10 }
5360
5361 1 void test_ecmult_gen_blind_reset(void) {
5362 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5363 1 secp256k1_scalar b;
5364 1 secp256k1_gej initial;
5365 1 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
5366 1 b = ctx->ecmult_gen_ctx.blind;
5367 1 initial = ctx->ecmult_gen_ctx.initial;
5368 1 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
5369
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
5370
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
5371 1 }
5372
5373 1 void run_ecmult_gen_blind(void) {
5374 1 int i;
5375 1 test_ecmult_gen_blind_reset();
5376
2/2
✓ Branch 1 taken 10 times.
✓ Branch 2 taken 1 times.
12 for (i = 0; i < 10; i++) {
5377 10 test_ecmult_gen_blind();
5378 }
5379 1 }
5380
5381 /***** ENDOMORPHISH TESTS *****/
5382 6425 void test_scalar_split(const secp256k1_scalar* full) {
5383 6425 secp256k1_scalar s, s1, slam;
5384 6425 const unsigned char zero[32] = {0};
5385 6425 unsigned char tmp[32];
5386
5387 6425 secp256k1_scalar_split_lambda(&s1, &slam, full);
5388
5389 /* check slam*lambda + s1 == full */
5390 6425 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
5391 6425 secp256k1_scalar_add(&s, &s, &s1);
5392
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 6425 times.
6425 CHECK(secp256k1_scalar_eq(&s, full));
5393
5394 /* check that both are <= 128 bits in size */
5395
2/2
✓ Branch 0 taken 3173 times.
✓ Branch 1 taken 3252 times.
6425 if (secp256k1_scalar_is_high(&s1)) {
5396 3173 secp256k1_scalar_negate(&s1, &s1);
5397 }
5398
2/2
✓ Branch 0 taken 3210 times.
✓ Branch 1 taken 3215 times.
6425 if (secp256k1_scalar_is_high(&slam)) {
5399 3210 secp256k1_scalar_negate(&slam, &slam);
5400 }
5401
5402 6425 secp256k1_scalar_get_b32(tmp, &s1);
5403
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 6425 times.
12850 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5404 6425 secp256k1_scalar_get_b32(tmp, &slam);
5405
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 6425 times.
12850 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5406 6425 }
5407
5408
5409 1 void run_endomorphism_tests(void) {
5410 1 unsigned i;
5411 1 static secp256k1_scalar s;
5412 1 test_scalar_split(&secp256k1_scalar_zero);
5413 1 test_scalar_split(&secp256k1_scalar_one);
5414 1 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
5415 1 test_scalar_split(&s);
5416 1 test_scalar_split(&secp256k1_const_lambda);
5417 1 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
5418 1 test_scalar_split(&s);
5419
5420
2/2
✓ Branch 1 taken 6400 times.
✓ Branch 2 taken 1 times.
6402 for (i = 0; i < 100U * count; ++i) {
5421 6400 secp256k1_scalar full;
5422 6400 random_scalar_order_test(&full);
5423 6400 test_scalar_split(&full);
5424 }
5425
2/2
✓ Branch 0 taken 20 times.
✓ Branch 1 taken 1 times.
21 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5426 20 test_scalar_split(&scalars_near_split_bounds[i]);
5427 }
5428 1 }
5429
5430 23 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5431 23 unsigned char pubkeyc[65];
5432 23 secp256k1_pubkey pubkey;
5433 23 secp256k1_ge ge;
5434 23 size_t pubkeyclen;
5435 23 int32_t ecount;
5436 23 ecount = 0;
5437
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 23 times.
23 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5438
2/2
✓ Branch 0 taken 1449 times.
✓ Branch 1 taken 23 times.
1472 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5439 /* Smaller sizes are tested exhaustively elsewhere. */
5440 1449 int32_t i;
5441 1449 memcpy(&pubkeyc[1], input, 64);
5442 1449 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5443
2/2
✓ Branch 0 taken 370944 times.
✓ Branch 1 taken 1449 times.
372393 for (i = 0; i < 256; i++) {
5444 /* Try all type bytes. */
5445 370944 int xpass;
5446 370944 int ypass;
5447 370944 int ysign;
5448 370944 pubkeyc[0] = i;
5449 /* What sign does this point have? */
5450 370944 ysign = (input[63] & 1) + 2;
5451 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5452
4/4
✓ Branch 0 taken 4096 times.
✓ Branch 1 taken 366848 times.
✓ Branch 2 taken 4064 times.
✓ Branch 3 taken 32 times.
370944 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5453 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5454
6/6
✓ Branch 0 taken 190464 times.
✓ Branch 1 taken 3072 times.
✓ Branch 2 taken 96768 times.
✓ Branch 3 taken 96768 times.
✓ Branch 4 taken 96756 times.
✓ Branch 5 taken 12 times.
384000 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5455
6/6
✓ Branch 0 taken 193536 times.
✓ Branch 1 taken 177408 times.
✓ Branch 2 taken 756 times.
✓ Branch 3 taken 96000 times.
✓ Branch 4 taken 732 times.
✓ Branch 5 taken 36 times.
467712 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5456
2/2
✓ Branch 0 taken 56 times.
✓ Branch 1 taken 370888 times.
370944 if (xpass || ypass) {
5457 /* These cases must parse. */
5458 56 unsigned char pubkeyo[65];
5459 56 size_t outl;
5460 56 memset(&pubkey, 0, sizeof(pubkey));
5461 56 VG_UNDEF(&pubkey, sizeof(pubkey));
5462 56 ecount = 0;
5463
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 56 times.
56 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
5464 56 VG_CHECK(&pubkey, sizeof(pubkey));
5465 56 outl = 65;
5466 56 VG_UNDEF(pubkeyo, 65);
5467
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 56 times.
56 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5468 56 VG_CHECK(pubkeyo, outl);
5469
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 56 times.
56 CHECK(outl == 33);
5470
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 56 times.
56 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5471
3/4
✓ Branch 0 taken 32 times.
✓ Branch 1 taken 24 times.
✗ Branch 2 not taken.
✓ Branch 3 taken 32 times.
56 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5472
2/2
✓ Branch 0 taken 36 times.
✓ Branch 1 taken 20 times.
56 if (ypass) {
5473 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5474
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 36 times.
36 CHECK(pubkeyo[0] == ysign);
5475
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 36 times.
36 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
5476 36 memset(&pubkey, 0, sizeof(pubkey));
5477 36 VG_UNDEF(&pubkey, sizeof(pubkey));
5478 36 secp256k1_pubkey_save(&pubkey, &ge);
5479 36 VG_CHECK(&pubkey, sizeof(pubkey));
5480 36 outl = 65;
5481 36 VG_UNDEF(pubkeyo, 65);
5482
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 36 times.
36 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5483 36 VG_CHECK(pubkeyo, outl);
5484
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 36 times.
36 CHECK(outl == 65);
5485
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 36 times.
36 CHECK(pubkeyo[0] == 4);
5486
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 36 times.
36 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5487 }
5488
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 56 times.
56 CHECK(ecount == 0);
5489 } else {
5490 /* These cases must fail to parse. */
5491 370888 memset(&pubkey, 0xfe, sizeof(pubkey));
5492 370888 ecount = 0;
5493 370888 VG_UNDEF(&pubkey, sizeof(pubkey));
5494
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 370888 times.
370888 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
5495 370888 VG_CHECK(&pubkey, sizeof(pubkey));
5496
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 370888 times.
370888 CHECK(ecount == 0);
5497
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 370888 times.
370888 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5498
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 370888 times.
370944 CHECK(ecount == 1);
5499 }
5500 }
5501 }
5502
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 23 times.
23 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5503 23 }
5504
5505 1 void run_ec_pubkey_parse_test(void) {
5506 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
5507 1 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5508 {
5509 /* Point with leading and trailing zeros in x and y serialization. */
5510 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5511 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5512 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5513 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5514 },
5515 {
5516 /* Point with x equal to a 3rd root of unity.*/
5517 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5518 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5519 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5520 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5521 },
5522 {
5523 /* Point with largest x. (1/2) */
5524 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5525 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5526 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5527 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5528 },
5529 {
5530 /* Point with largest x. (2/2) */
5531 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5532 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5533 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5534 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5535 },
5536 {
5537 /* Point with smallest x. (1/2) */
5538 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5539 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5540 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5541 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5542 },
5543 {
5544 /* Point with smallest x. (2/2) */
5545 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5546 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5547 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5548 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5549 },
5550 {
5551 /* Point with largest y. (1/3) */
5552 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5553 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5554 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5555 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5556 },
5557 {
5558 /* Point with largest y. (2/3) */
5559 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5560 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5561 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5562 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5563 },
5564 {
5565 /* Point with largest y. (3/3) */
5566 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5567 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5568 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5569 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5570 },
5571 {
5572 /* Point with smallest y. (1/3) */
5573 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5574 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5577 },
5578 {
5579 /* Point with smallest y. (2/3) */
5580 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5581 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5582 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5584 },
5585 {
5586 /* Point with smallest y. (3/3) */
5587 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5588 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5589 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5590 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5591 }
5592 };
5593 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
5594 1 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
5595 {
5596 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5597 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5598 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5599 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5600 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5601 },
5602 {
5603 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5604 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5605 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5606 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5607 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5608 },
5609 {
5610 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5611 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5612 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5613 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5614 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5615 },
5616 {
5617 /* x on curve, y is from y^2 = x^3 + 8. */
5618 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5619 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5620 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5621 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5622 }
5623 };
5624 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
5625 1 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
5626 {
5627 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5628 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5629 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5630 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5631 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5632 },
5633 {
5634 /* Valid if x overflow ignored (x = 1 mod p). */
5635 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5636 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5637 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5638 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5639 },
5640 {
5641 /* Valid if x overflow ignored (x = 1 mod p). */
5642 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5643 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5644 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5645 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5646 },
5647 {
5648 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5649 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5650 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5651 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5652 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5653 },
5654 {
5655 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5656 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5657 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5658 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5659 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5660 },
5661 {
5662 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5663 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5664 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5665 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5666 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5667 },
5668 {
5669 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5670 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5671 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5672 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5673 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5674 }
5675 };
5676 1 const unsigned char pubkeyc[66] = {
5677 /* Serialization of G. */
5678 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5679 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5680 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5681 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5682 0xB8, 0x00
5683 };
5684 1 unsigned char sout[65];
5685 1 unsigned char shortkey[2];
5686 1 secp256k1_ge ge;
5687 1 secp256k1_pubkey pubkey;
5688 1 size_t len;
5689 1 int32_t i;
5690 1 int32_t ecount;
5691 1 int32_t ecount2;
5692 1 ecount = 0;
5693 /* Nothing should be reading this far into pubkeyc. */
5694 1 VG_UNDEF(&pubkeyc[65], 1);
5695
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5696 /* Zero length claimed, fail, zeroize, no illegal arg error. */
5697 1 memset(&pubkey, 0xfe, sizeof(pubkey));
5698 1 ecount = 0;
5699 1 VG_UNDEF(shortkey, 2);
5700 1 VG_UNDEF(&pubkey, sizeof(pubkey));
5701
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
5702 1 VG_CHECK(&pubkey, sizeof(pubkey));
5703
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 0);
5704
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5705
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
5706 /* Length one claimed, fail, zeroize, no illegal arg error. */
5707
2/2
✓ Branch 0 taken 256 times.
✓ Branch 1 taken 1 times.
257 for (i = 0; i < 256 ; i++) {
5708 256 memset(&pubkey, 0xfe, sizeof(pubkey));
5709 256 ecount = 0;
5710 256 shortkey[0] = i;
5711 256 VG_UNDEF(&shortkey[1], 1);
5712 256 VG_UNDEF(&pubkey, sizeof(pubkey));
5713
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 256 times.
256 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
5714 256 VG_CHECK(&pubkey, sizeof(pubkey));
5715
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 256 times.
256 CHECK(ecount == 0);
5716
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 256 times.
256 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5717
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 256 times.
256 CHECK(ecount == 1);
5718 }
5719 /* Length two claimed, fail, zeroize, no illegal arg error. */
5720
2/2
✓ Branch 0 taken 65536 times.
✓ Branch 1 taken 1 times.
65537 for (i = 0; i < 65536 ; i++) {
5721 65536 memset(&pubkey, 0xfe, sizeof(pubkey));
5722 65536 ecount = 0;
5723 65536 shortkey[0] = i & 255;
5724 65536 shortkey[1] = i >> 8;
5725 65536 VG_UNDEF(&pubkey, sizeof(pubkey));
5726
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 65536 times.
65536 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
5727 65536 VG_CHECK(&pubkey, sizeof(pubkey));
5728
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 65536 times.
65536 CHECK(ecount == 0);
5729
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 65536 times.
65536 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5730
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 65536 times.
65536 CHECK(ecount == 1);
5731 }
5732 1 memset(&pubkey, 0xfe, sizeof(pubkey));
5733 1 ecount = 0;
5734 1 VG_UNDEF(&pubkey, sizeof(pubkey));
5735 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
5736
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
5737 1 VG_CHECK(&pubkey, sizeof(pubkey));
5738
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 0);
5739
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5740
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
5741 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
5742
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
5743
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
5744 /* NULL input string. Illegal arg and zeroize output. */
5745 1 memset(&pubkey, 0xfe, sizeof(pubkey));
5746 1 ecount = 0;
5747 1 VG_UNDEF(&pubkey, sizeof(pubkey));
5748
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
5749 1 VG_CHECK(&pubkey, sizeof(pubkey));
5750
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
5751
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5752
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
5753 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
5754 1 memset(&pubkey, 0xfe, sizeof(pubkey));
5755 1 ecount = 0;
5756 1 VG_UNDEF(&pubkey, sizeof(pubkey));
5757
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
5758 1 VG_CHECK(&pubkey, sizeof(pubkey));
5759
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 0);
5760
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5761
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
5762 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
5763 1 memset(&pubkey, 0xfe, sizeof(pubkey));
5764 1 ecount = 0;
5765 1 VG_UNDEF(&pubkey, sizeof(pubkey));
5766
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
5767 1 VG_CHECK(&pubkey, sizeof(pubkey));
5768
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 0);
5769
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
5770
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
5771 /* Valid parse. */
5772 1 memset(&pubkey, 0, sizeof(pubkey));
5773 1 ecount = 0;
5774 1 VG_UNDEF(&pubkey, sizeof(pubkey));
5775
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
5776
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
5777 1 VG_CHECK(&pubkey, sizeof(pubkey));
5778
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 0);
5779 1 VG_UNDEF(&ge, sizeof(ge));
5780
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
5781 1 VG_CHECK(&ge.x, sizeof(ge.x));
5782 1 VG_CHECK(&ge.y, sizeof(ge.y));
5783 1 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
5784 1 ge_equals_ge(&secp256k1_ge_const_g, &ge);
5785
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 0);
5786 /* secp256k1_ec_pubkey_serialize illegal args. */
5787 1 ecount = 0;
5788 1 len = 65;
5789
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
5790
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
5791
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(len == 0);
5792
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
5793
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
5794 1 len = 65;
5795 1 VG_UNDEF(sout, 65);
5796
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
5797 1 VG_CHECK(sout, 65);
5798
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 3);
5799
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(len == 0);
5800 1 len = 65;
5801
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
5802
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 4);
5803
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(len == 0);
5804 1 len = 65;
5805 1 VG_UNDEF(sout, 65);
5806
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5807 1 VG_CHECK(sout, 65);
5808
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 4);
5809
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(len == 65);
5810 /* Multiple illegal args. Should still set arg error only once. */
5811 1 ecount = 0;
5812 1 ecount2 = 11;
5813
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
5814
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
5815 /* Does the illegal arg callback actually change the behavior? */
5816
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
5817
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
5818
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
5819
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount2 == 10);
5820
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5821 /* Try a bunch of prefabbed points with all possible encodings. */
5822
2/2
✓ Branch 0 taken 12 times.
✓ Branch 1 taken 1 times.
13 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
5823 12 ec_pubkey_parse_pointtest(valid[i], 1, 1);
5824 }
5825
2/2
✓ Branch 0 taken 4 times.
✓ Branch 1 taken 1 times.
5 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
5826 4 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
5827 }
5828
2/2
✓ Branch 0 taken 7 times.
✓ Branch 1 taken 1 times.
8 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
5829 7 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
5830 }
5831 1 }
5832
5833 1 void run_eckey_edge_case_test(void) {
5834 1 const unsigned char orderc[32] = {
5835 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5836 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5837 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5838 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
5839 };
5840 1 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
5841 1 unsigned char ctmp[33];
5842 1 unsigned char ctmp2[33];
5843 1 secp256k1_pubkey pubkey;
5844 1 secp256k1_pubkey pubkey2;
5845 1 secp256k1_pubkey pubkey_one;
5846 1 secp256k1_pubkey pubkey_negone;
5847 1 const secp256k1_pubkey *pubkeys[3];
5848 1 size_t len;
5849 1 int32_t ecount;
5850 /* Group order is too large, reject. */
5851
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
5852 1 VG_UNDEF(&pubkey, sizeof(pubkey));
5853
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
5854 VG_CHECK(&pubkey, sizeof(pubkey));
5855
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5856 /* Maximum value is too large, reject. */
5857 1 memset(ctmp, 255, 32);
5858
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5859 1 memset(&pubkey, 1, sizeof(pubkey));
5860 1 VG_UNDEF(&pubkey, sizeof(pubkey));
5861
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5862 VG_CHECK(&pubkey, sizeof(pubkey));
5863
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5864 /* Zero is too small, reject. */
5865 1 memset(ctmp, 0, 32);
5866
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5867 1 memset(&pubkey, 1, sizeof(pubkey));
5868 1 VG_UNDEF(&pubkey, sizeof(pubkey));
5869
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5870 VG_CHECK(&pubkey, sizeof(pubkey));
5871
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5872 /* One must be accepted. */
5873 1 ctmp[31] = 0x01;
5874
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5875 1 memset(&pubkey, 0, sizeof(pubkey));
5876 1 VG_UNDEF(&pubkey, sizeof(pubkey));
5877
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5878 VG_CHECK(&pubkey, sizeof(pubkey));
5879
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5880 1 pubkey_one = pubkey;
5881 /* Group order + 1 is too large, reject. */
5882 1 memcpy(ctmp, orderc, 32);
5883 1 ctmp[31] = 0x42;
5884
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5885 1 memset(&pubkey, 1, sizeof(pubkey));
5886 1 VG_UNDEF(&pubkey, sizeof(pubkey));
5887
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5888 VG_CHECK(&pubkey, sizeof(pubkey));
5889
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
5890 /* -1 must be accepted. */
5891 1 ctmp[31] = 0x40;
5892
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5893 1 memset(&pubkey, 0, sizeof(pubkey));
5894 1 VG_UNDEF(&pubkey, sizeof(pubkey));
5895
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5896 VG_CHECK(&pubkey, sizeof(pubkey));
5897
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
5898 1 pubkey_negone = pubkey;
5899 /* Tweak of zero leaves the value unchanged. */
5900 1 memset(ctmp2, 0, 32);
5901
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
5902
2/4
✓ Branch 0 taken 1 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 1 times.
1 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
5903 1 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
5904
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5905
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5906 /* Multiply tweak of zero zeroizes the output. */
5907
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5908
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5909
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
5910
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5911 1 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5912 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5913 seckey, the seckey is zeroized. */
5914 1 memcpy(ctmp, orderc, 32);
5915 1 memset(ctmp2, 0, 32);
5916 1 ctmp2[31] = 0x01;
5917
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
5918
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
5919
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
5920
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5921 1 memcpy(ctmp, orderc, 32);
5922
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5923
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5924 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5925 tweak, the seckey is zeroized. */
5926 1 memcpy(ctmp, orderc, 32);
5927 1 ctmp[31] = 0x40;
5928
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
5929
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5930 1 memcpy(ctmp, orderc, 32);
5931 1 ctmp[31] = 0x40;
5932
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
5933
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
5934 1 memcpy(ctmp, orderc, 32);
5935 1 ctmp[31] = 0x40;
5936 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
5937 tweak, the pubkey is zeroized. */
5938
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
5939
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5940 1 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5941
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
5942
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5943 1 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5944 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
5945 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
5946 * case the pubkey is zeroized. */
5947 1 memcpy(ctmp, orderc, 32);
5948 1 ctmp[31] = 0x40;
5949 1 memset(ctmp2, 0, 32);
5950 1 ctmp2[31] = 1;
5951
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
5952
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
5953 1 ctmp2[31] = 1;
5954
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5955
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5956 1 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5957 /* Tweak computation wraps and results in a key of 1. */
5958 1 ctmp2[31] = 2;
5959
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
5960
2/4
✓ Branch 0 taken 1 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 1 times.
1 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
5961 1 ctmp2[31] = 2;
5962
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5963 1 ctmp2[31] = 1;
5964
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
5965
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5966 /* Tweak mul * 2 = 1+1. */
5967
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5968 1 ctmp2[31] = 2;
5969
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
5970
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5971 /* Test argument errors. */
5972 1 ecount = 0;
5973
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5974
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 0);
5975 /* Zeroize pubkey on parse error. */
5976 1 memset(&pubkey, 0, 32);
5977
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5978
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
5979
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5980 1 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5981 1 memset(&pubkey2, 0, 32);
5982
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
5983
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
5984
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
5985 /* Plain argument errors. */
5986 1 ecount = 0;
5987
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
5988
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 0);
5989
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
5990
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
5991 1 ecount = 0;
5992 1 memset(ctmp2, 0, 32);
5993 1 ctmp2[31] = 4;
5994
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
5995
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
5996
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
5997
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
5998 1 ecount = 0;
5999 1 memset(ctmp2, 0, 32);
6000 1 ctmp2[31] = 4;
6001
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
6002
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
6003
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
6004
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
6005 1 ecount = 0;
6006 1 memset(ctmp2, 0, 32);
6007
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
6008
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
6009
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
6010
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
6011 1 ecount = 0;
6012 1 memset(ctmp2, 0, 32);
6013 1 ctmp2[31] = 1;
6014
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
6015
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
6016
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
6017
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
6018 1 ecount = 0;
6019
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
6020
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
6021 1 memset(&pubkey, 1, sizeof(pubkey));
6022
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
6023
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
6024
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6025 /* secp256k1_ec_pubkey_combine tests. */
6026 1 ecount = 0;
6027 1 pubkeys[0] = &pubkey_one;
6028 1 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
6029 1 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
6030 1 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
6031 1 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6032 1 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
6033
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
6034 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6035
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6036
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
6037
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
6038
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6039
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
6040 1 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6041 1 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
6042
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
6043 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6044
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6045
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 3);
6046 1 pubkeys[0] = &pubkey_negone;
6047 1 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6048 1 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
6049
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
6050 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6051
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6052
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 3);
6053 1 len = 33;
6054
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6055
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6056
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6057 /* Result is infinity. */
6058 1 pubkeys[0] = &pubkey_one;
6059 1 pubkeys[1] = &pubkey_negone;
6060 1 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6061 1 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
6062
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
6063 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6064
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6065
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 3);
6066 /* Passes through infinity but comes out one. */
6067 1 pubkeys[2] = &pubkey_one;
6068 1 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6069 1 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
6070
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
6071 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6072
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6073
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 3);
6074 1 len = 33;
6075
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6076
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6077
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6078 /* Adds to two. */
6079 1 pubkeys[1] = &pubkey_one;
6080 1 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6081 1 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
6082
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
6083 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6084
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6085
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 3);
6086
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
6087 1 }
6088
6089 1 void run_eckey_negate_test(void) {
6090 1 unsigned char seckey[32];
6091 1 unsigned char seckey_tmp[32];
6092
6093 1 random_scalar_order_b32(seckey);
6094 1 memcpy(seckey_tmp, seckey, 32);
6095
6096 /* Verify negation changes the key and changes it back */
6097
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
6098
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6099
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
6100
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6101
6102 /* Check that privkey alias gives same result */
6103
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
6104
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
6105
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6106
6107 /* Negating all 0s fails */
6108 1 memset(seckey, 0, 32);
6109 1 memset(seckey_tmp, 0, 32);
6110
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
6111 /* Check that seckey is not modified */
6112
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6113
6114 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6115 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6116 * doesn't just set seckey to a constant value in case of failure. */
6117 1 random_scalar_order_b32(seckey);
6118 1 memset(seckey, 0xFF, 16);
6119 1 memset(seckey_tmp, 0, 32);
6120
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
6121
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6122 1 }
6123
6124 640 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6125 640 secp256k1_scalar nonce;
6126 640 do {
6127 640 random_scalar_order_test(&nonce);
6128
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 640 times.
640 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6129 640 }
6130
6131 640 void test_ecdsa_sign_verify(void) {
6132 640 secp256k1_gej pubj;
6133 640 secp256k1_ge pub;
6134 640 secp256k1_scalar one;
6135 640 secp256k1_scalar msg, key;
6136 640 secp256k1_scalar sigr, sigs;
6137 640 int getrec;
6138 640 int recid;
6139 640 random_scalar_order_test(&msg);
6140 640 random_scalar_order_test(&key);
6141 640 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
6142 640 secp256k1_ge_set_gej(&pub, &pubj);
6143 640 getrec = secp256k1_testrand_bits(1);
6144 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6145 See the commit messages of the commit that introduced this comment for details. */
6146
2/2
✓ Branch 0 taken 325 times.
✓ Branch 1 taken 315 times.
640 if (getrec) {
6147 325 random_sign(&sigr, &sigs, &key, &msg, &recid);
6148
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 325 times.
325 CHECK(recid >= 0 && recid < 4);
6149 } else {
6150 315 random_sign(&sigr, &sigs, &key, &msg, NULL);
6151 }
6152
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 640 times.
640 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6153 640 secp256k1_scalar_set_int(&one, 1);
6154 640 secp256k1_scalar_add(&msg, &msg, &one);
6155
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 640 times.
640 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6156 640 }
6157
6158 1 void run_ecdsa_sign_verify(void) {
6159 1 int i;
6160
2/2
✓ Branch 0 taken 640 times.
✓ Branch 1 taken 1 times.
641 for (i = 0; i < 10*count; i++) {
6161 640 test_ecdsa_sign_verify();
6162 }
6163 1 }
6164
6165 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
6166 6 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6167 6 (void)msg32;
6168 6 (void)key32;
6169 6 (void)algo16;
6170 6 memcpy(nonce32, data, 32);
6171 6 return (counter == 0);
6172 }
6173
6174 2 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6175 /* Dummy nonce generator that has a fatal error on the first counter value. */
6176
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 if (counter == 0) {
6177 return 0;
6178 }
6179 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6180 }
6181
6182 12 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6183 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6184
2/2
✓ Branch 0 taken 6 times.
✓ Branch 1 taken 6 times.
12 if (counter < 3) {
6185
2/2
✓ Branch 0 taken 4 times.
✓ Branch 1 taken 2 times.
6 memset(nonce32, counter==0 ? 0 : 255, 32);
6186
2/2
✓ Branch 0 taken 2 times.
✓ Branch 1 taken 4 times.
6 if (counter == 2) {
6187 2 nonce32[31]--;
6188 }
6189 6 return 1;
6190 }
6191
2/2
✓ Branch 0 taken 4 times.
✓ Branch 1 taken 2 times.
6 if (counter < 5) {
6192 4 static const unsigned char order[] = {
6193 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6194 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6195 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6196 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
6197 };
6198 4 memcpy(nonce32, order, 32);
6199
2/2
✓ Branch 0 taken 2 times.
✓ Branch 1 taken 2 times.
4 if (counter == 4) {
6200 2 nonce32[31]++;
6201 }
6202 4 return 1;
6203 }
6204 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6205 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6206
1/2
✓ Branch 0 taken 2 times.
✗ Branch 1 not taken.
2 if (counter > 5) {
6207 return 0;
6208 }
6209 2 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6210 }
6211
6212 1036 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
6213 1036 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6214 1036 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6215 }
6216
6217 4096 void test_ecdsa_end_to_end(void) {
6218 4096 unsigned char extra[32] = {0x00};
6219 4096 unsigned char privkey[32];
6220 4096 unsigned char message[32];
6221 4096 unsigned char privkey2[32];
6222 4096 secp256k1_ecdsa_signature signature[6];
6223 4096 secp256k1_scalar r, s;
6224 4096 unsigned char sig[74];
6225 4096 size_t siglen = 74;
6226 4096 unsigned char pubkeyc[65];
6227 4096 size_t pubkeyclen = 65;
6228 4096 secp256k1_pubkey pubkey;
6229 4096 secp256k1_pubkey pubkey_tmp;
6230 4096 unsigned char seckey[300];
6231 4096 size_t seckeylen = 300;
6232
6233 /* Generate a random key and message. */
6234 {
6235 4096 secp256k1_scalar msg, key;
6236 4096 random_scalar_order_test(&msg);
6237 4096 random_scalar_order_test(&key);
6238 4096 secp256k1_scalar_get_b32(privkey, &key);
6239 4096 secp256k1_scalar_get_b32(message, &msg);
6240 }
6241
6242 /* Construct and verify corresponding public key. */
6243
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4096 times.
4096 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
6244
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4096 times.
4096 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
6245
6246 /* Verify exporting and importing public key. */
6247
3/4
✓ Branch 1 taken 2091 times.
✓ Branch 2 taken 2005 times.
✗ Branch 4 not taken.
✓ Branch 5 taken 4096 times.
6187 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
6248 4096 memset(&pubkey, 0, sizeof(pubkey));
6249
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4096 times.
4096 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
6250
6251 /* Verify negation changes the key and changes it back */
6252 4096 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6253
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4096 times.
4096 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
6254
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4096 times.
4096 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6255
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4096 times.
4096 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
6256
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4096 times.
4096 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6257
6258 /* Verify private key import and export. */
6259
1/2
✗ Branch 2 not taken.
✓ Branch 3 taken 4096 times.
4096 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
6260
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4096 times.
4096 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
6261
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4096 times.
4096 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6262
6263 /* Optionally tweak the keys using addition. */
6264
2/2
✓ Branch 1 taken 1409 times.
✓ Branch 2 taken 2687 times.
4096 if (secp256k1_testrand_int(3) == 0) {
6265 1409 int ret1;
6266 1409 int ret2;
6267 1409 int ret3;
6268 1409 unsigned char rnd[32];
6269 1409 unsigned char privkey_tmp[32];
6270 1409 secp256k1_pubkey pubkey2;
6271 1409 secp256k1_testrand256_test(rnd);
6272 1409 memcpy(privkey_tmp, privkey, 32);
6273 1409 ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
6274 1409 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
6275 /* Check that privkey alias gives same result */
6276 1409 ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
6277
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1409 times.
1409 CHECK(ret1 == ret2);
6278
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1409 times.
1409 CHECK(ret2 == ret3);
6279
2/2
✓ Branch 0 taken 19 times.
✓ Branch 1 taken 1390 times.
1409 if (ret1 == 0) {
6280 19 return;
6281 }
6282
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1390 times.
1390 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6283
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1390 times.
1390 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
6284
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1390 times.
1390 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6285 }
6286
6287 /* Optionally tweak the keys using multiplication. */
6288
2/2
✓ Branch 1 taken 1329 times.
✓ Branch 2 taken 2748 times.
4077 if (secp256k1_testrand_int(3) == 0) {
6289 1329 int ret1;
6290 1329 int ret2;
6291 1329 int ret3;
6292 1329 unsigned char rnd[32];
6293 1329 unsigned char privkey_tmp[32];
6294 1329 secp256k1_pubkey pubkey2;
6295 1329 secp256k1_testrand256_test(rnd);
6296 1329 memcpy(privkey_tmp, privkey, 32);
6297 1329 ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
6298 1329 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
6299 /* Check that privkey alias gives same result */
6300 1329 ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
6301
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1329 times.
1329 CHECK(ret1 == ret2);
6302
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1329 times.
1329 CHECK(ret2 == ret3);
6303
2/2
✓ Branch 0 taken 10 times.
✓ Branch 1 taken 1319 times.
1329 if (ret1 == 0) {
6304 10 return;
6305 }
6306
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1319 times.
1319 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
6307
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1319 times.
1319 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
6308
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1319 times.
1319 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6309 }
6310
6311 /* Sign. */
6312
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
6313
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
6314
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
6315 4067 extra[31] = 1;
6316
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
6317 4067 extra[31] = 0;
6318 4067 extra[0] = 1;
6319
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
6320
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
4067 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6321
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
4067 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6322
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
4067 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6323
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
4067 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6324
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
4067 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6325
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
4067 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6326
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
4067 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6327 /* Verify. */
6328
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
6329
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
6330
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
6331
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
6332 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6333
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
6334 4067 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
6335 4067 secp256k1_scalar_negate(&s, &s);
6336 4067 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6337
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
6338
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6339
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
6340
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6341
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
6342
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
6343 4067 secp256k1_scalar_negate(&s, &s);
6344 4067 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6345
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6346
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
6347
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 4067 times.
4067 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6348
6349 /* Serialize/parse DER and verify again */
6350
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
6351 4067 memset(&signature[0], 0, sizeof(signature[0]));
6352
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
6353
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
6354 /* Serialize/destroy/parse DER and verify again. */
6355 4067 siglen = 74;
6356
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 4067 times.
4067 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
6357 4067 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
6358
3/4
✓ Branch 1 taken 3677 times.
✓ Branch 2 taken 390 times.
✗ Branch 4 not taken.
✓ Branch 5 taken 3677 times.
4067 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
6359 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
6360 }
6361
6362 640 void test_random_pubkeys(void) {
6363 640 secp256k1_ge elem;
6364 640 secp256k1_ge elem2;
6365 640 unsigned char in[65];
6366 /* Generate some randomly sized pubkeys. */
6367
2/2
✓ Branch 1 taken 490 times.
✓ Branch 2 taken 150 times.
640 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
6368
2/2
✓ Branch 1 taken 161 times.
✓ Branch 2 taken 479 times.
640 if (secp256k1_testrand_bits(2) == 0) {
6369 161 len = secp256k1_testrand_bits(6);
6370 }
6371
2/2
✓ Branch 0 taken 114 times.
✓ Branch 1 taken 526 times.
640 if (len == 65) {
6372
4/4
✓ Branch 1 taken 55 times.
✓ Branch 2 taken 59 times.
✓ Branch 4 taken 31 times.
✓ Branch 5 taken 24 times.
145 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
6373 } else {
6374
2/2
✓ Branch 1 taken 248 times.
✓ Branch 2 taken 278 times.
774 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
6375 }
6376
2/2
✓ Branch 1 taken 82 times.
✓ Branch 2 taken 558 times.
640 if (secp256k1_testrand_bits(3) == 0) {
6377 82 in[0] = secp256k1_testrand_bits(8);
6378 }
6379
2/2
✓ Branch 0 taken 637 times.
✓ Branch 1 taken 3 times.
640 if (len > 1) {
6380 637 secp256k1_testrand256(&in[1]);
6381 }
6382
2/2
✓ Branch 0 taken 193 times.
✓ Branch 1 taken 444 times.
637 if (len > 33) {
6383 193 secp256k1_testrand256(&in[33]);
6384 }
6385
2/2
✓ Branch 1 taken 168 times.
✓ Branch 2 taken 472 times.
640 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6386 168 unsigned char out[65];
6387 168 unsigned char firstb;
6388 168 int res;
6389 168 size_t size = len;
6390 168 firstb = in[0];
6391 /* If the pubkey can be parsed, it should round-trip... */
6392
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 168 times.
168 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
6393
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 168 times.
168 CHECK(size == len);
6394
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 168 times.
336 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6395 /* ... except for the type of hybrid inputs. */
6396
1/2
✓ Branch 0 taken 168 times.
✗ Branch 1 not taken.
168 if ((in[0] != 6) && (in[0] != 7)) {
6397
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 168 times.
168 CHECK(in[0] == out[0]);
6398 }
6399 168 size = 65;
6400
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 168 times.
168 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
6401
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 168 times.
168 CHECK(size == 65);
6402
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 168 times.
168 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6403 168 ge_equals_ge(&elem,&elem2);
6404 /* Check that the X9.62 hybrid type is checked. */
6405
2/2
✓ Branch 1 taken 77 times.
✓ Branch 2 taken 91 times.
168 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
6406 168 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6407
1/2
✓ Branch 0 taken 168 times.
✗ Branch 1 not taken.
168 if (firstb == 2 || firstb == 3) {
6408
2/2
✓ Branch 0 taken 78 times.
✓ Branch 1 taken 90 times.
168 if (in[0] == firstb + 4) {
6409
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 78 times.
78 CHECK(res);
6410 } else {
6411
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 90 times.
90 CHECK(!res);
6412 }
6413 }
6414
2/2
✓ Branch 0 taken 78 times.
✓ Branch 1 taken 90 times.
168 if (res) {
6415 78 ge_equals_ge(&elem,&elem2);
6416
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 78 times.
78 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
6417
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 78 times.
168 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6418 }
6419 }
6420 640 }
6421
6422 1 void run_pubkey_comparison(void) {
6423 1 unsigned char pk1_ser[33] = {
6424 0x02,
6425 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6426 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6427 };
6428 1 const unsigned char pk2_ser[33] = {
6429 0x02,
6430 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6431 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6432 };
6433 1 secp256k1_pubkey pk1;
6434 1 secp256k1_pubkey pk2;
6435 1 int32_t ecount = 0;
6436
6437
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6438
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6439
6440
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
6441
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_cmp(ctx, NULL, &pk2) < 0);
6442
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
6443
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, NULL) > 0);
6444
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
6445
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
6446
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
6447
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk1) == 0);
6448
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk2) == 0);
6449
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
6450 {
6451 1 secp256k1_pubkey pk_tmp;
6452 1 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6453
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk2) < 0);
6454
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 3);
6455
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk_tmp) == 0);
6456
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 5);
6457
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk_tmp) > 0);
6458
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 6);
6459 }
6460
6461
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
6462
6463 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6464 * an uncompressed encoding, these would have the opposite ordering */
6465 1 pk1_ser[0] = 3;
6466
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6467
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
6468
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
6469 1 }
6470
6471 1 void run_random_pubkeys(void) {
6472 1 int i;
6473
2/2
✓ Branch 0 taken 640 times.
✓ Branch 1 taken 1 times.
641 for (i = 0; i < 10*count; i++) {
6474 640 test_random_pubkeys();
6475 }
6476 1 }
6477
6478 1 void run_ecdsa_end_to_end(void) {
6479 1 int i;
6480
2/2
✓ Branch 0 taken 4096 times.
✓ Branch 1 taken 1 times.
4097 for (i = 0; i < 64*count; i++) {
6481 4096 test_ecdsa_end_to_end();
6482 }
6483 1 }
6484
6485 204800 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
6486 204800 static const unsigned char zeroes[32] = {0};
6487
6488 204800 int ret = 0;
6489
6490 204800 secp256k1_ecdsa_signature sig_der;
6491 204800 unsigned char roundtrip_der[2048];
6492 204800 unsigned char compact_der[64];
6493 204800 size_t len_der = 2048;
6494 204800 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6495
6496 204800 secp256k1_ecdsa_signature sig_der_lax;
6497 204800 unsigned char roundtrip_der_lax[2048];
6498 204800 unsigned char compact_der_lax[64];
6499 204800 size_t len_der_lax = 2048;
6500 204800 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6501
6502 204800 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
6503
2/2
✓ Branch 0 taken 9897 times.
✓ Branch 1 taken 194903 times.
204800 if (parsed_der) {
6504 9897 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
6505
4/4
✓ Branch 0 taken 9486 times.
✓ Branch 1 taken 411 times.
✓ Branch 2 taken 9063 times.
✓ Branch 3 taken 423 times.
29280 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
6506 }
6507 9063 if (valid_der) {
6508
1/2
✓ Branch 1 taken 9063 times.
✗ Branch 2 not taken.
9063 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
6509
2/4
✓ Branch 0 taken 9063 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 9063 times.
18126 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
6510 }
6511
6512 204800 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
6513
2/2
✓ Branch 0 taken 23280 times.
✓ Branch 1 taken 181520 times.
204800 if (parsed_der_lax) {
6514
1/2
✓ Branch 1 taken 23280 times.
✗ Branch 2 not taken.
23280 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
6515
4/4
✓ Branch 0 taken 19945 times.
✓ Branch 1 taken 3335 times.
✓ Branch 2 taken 18782 times.
✓ Branch 3 taken 1163 times.
66505 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6516 }
6517 18782 if (valid_der_lax) {
6518
1/2
✓ Branch 1 taken 18782 times.
✗ Branch 2 not taken.
18782 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6519
4/4
✓ Branch 0 taken 9586 times.
✓ Branch 1 taken 9196 times.
✓ Branch 2 taken 523 times.
✓ Branch 3 taken 9063 times.
28368 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6520 }
6521
6522
2/2
✓ Branch 0 taken 3266 times.
✓ Branch 1 taken 201534 times.
204800 if (certainly_der) {
6523
1/2
✓ Branch 0 taken 3266 times.
✗ Branch 1 not taken.
6532 ret |= (!parsed_der) << 2;
6524 }
6525
2/2
✓ Branch 0 taken 9534 times.
✓ Branch 1 taken 195266 times.
204800 if (certainly_not_der) {
6526 9534 ret |= (parsed_der) << 17;
6527 }
6528
2/2
✓ Branch 0 taken 9063 times.
✓ Branch 1 taken 195737 times.
204800 if (valid_der) {
6529
1/2
✓ Branch 0 taken 9063 times.
✗ Branch 1 not taken.
9063 ret |= (!roundtrips_der) << 3;
6530 }
6531
6532 9063 if (valid_der) {
6533
1/2
✓ Branch 0 taken 9063 times.
✗ Branch 1 not taken.
9063 ret |= (!roundtrips_der_lax) << 12;
6534
1/2
✓ Branch 0 taken 9063 times.
✗ Branch 1 not taken.
9063 ret |= (len_der != len_der_lax) << 13;
6535
2/4
✓ Branch 0 taken 9063 times.
✗ Branch 1 not taken.
✗ Branch 2 not taken.
✓ Branch 3 taken 9063 times.
18126 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6536 }
6537
1/2
✓ Branch 0 taken 204800 times.
✗ Branch 1 not taken.
204800 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6538
2/2
✓ Branch 0 taken 9897 times.
✓ Branch 1 taken 194903 times.
204800 if (parsed_der) {
6539
1/2
✓ Branch 0 taken 9897 times.
✗ Branch 1 not taken.
19794 ret |= (!parsed_der_lax) << 16;
6540 }
6541
6542 204800 return ret;
6543 }
6544
6545 23448 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
6546 23448 size_t i;
6547
2/2
✓ Branch 0 taken 376310 times.
✓ Branch 1 taken 23448 times.
399758 for (i = 0; i < ptrlen; i++) {
6548 376310 int shift = ptrlen - 1 - i;
6549
2/2
✓ Branch 0 taken 294774 times.
✓ Branch 1 taken 81536 times.
376310 if (shift >= 4) {
6550 294774 ptr[i] = 0;
6551 } else {
6552 81536 ptr[i] = (val >> shift) & 0xFF;
6553 }
6554 }
6555 23448 }
6556
6557 192000 static void damage_array(unsigned char *sig, size_t *len) {
6558 192000 int pos;
6559 192000 int action = secp256k1_testrand_bits(3);
6560
3/4
✓ Branch 0 taken 24131 times.
✓ Branch 1 taken 167869 times.
✓ Branch 2 taken 24131 times.
✗ Branch 3 not taken.
192000 if (action < 1 && *len > 3) {
6561 /* Delete a byte. */
6562 24131 pos = secp256k1_testrand_int(*len);
6563 24131 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6564 24131 (*len)--;
6565 24131 return;
6566
3/4
✓ Branch 0 taken 23896 times.
✓ Branch 1 taken 143973 times.
✓ Branch 2 taken 23896 times.
✗ Branch 3 not taken.
167869 } else if (action < 2 && *len < 2048) {
6567 /* Insert a byte. */
6568 23896 pos = secp256k1_testrand_int(1 + *len);
6569 23896 memmove(sig + pos + 1, sig + pos, *len - pos);
6570 23896 sig[pos] = secp256k1_testrand_bits(8);
6571 23896 (*len)++;
6572 23896 return;
6573
2/2
✓ Branch 0 taken 48233 times.
✓ Branch 1 taken 95740 times.
143973 } else if (action < 4) {
6574 /* Modify a byte. */
6575 48233 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
6576 48233 return;
6577 } else { /* action < 8 */
6578 /* Modify a bit. */
6579 95740 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
6580 95740 return;
6581 }
6582 }
6583
6584 12800 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
6585 12800 int der;
6586 12800 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6587 12800 size_t tlen, elen, glen;
6588 12800 int indet;
6589 12800 int n;
6590
6591 12800 *len = 0;
6592 12800 der = secp256k1_testrand_bits(2) == 0;
6593 12800 *certainly_der = der;
6594 12800 *certainly_not_der = 0;
6595
4/4
✓ Branch 0 taken 9534 times.
✓ Branch 1 taken 3266 times.
✓ Branch 3 taken 8606 times.
✓ Branch 4 taken 928 times.
12800 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
6596
6597
2/2
✓ Branch 0 taken 25600 times.
✓ Branch 1 taken 12800 times.
38400 for (n = 0; n < 2; n++) {
6598 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6599
4/4
✓ Branch 0 taken 19068 times.
✓ Branch 1 taken 6532 times.
✓ Branch 3 taken 16747 times.
✓ Branch 4 taken 2321 times.
25600 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
6600 /* The length of the number in bytes (the first byte of which will always be nonzero) */
6601
2/2
✓ Branch 0 taken 23279 times.
✓ Branch 1 taken 2321 times.
25600 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_bits(3) / 8;
6602
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 25600 times.
25600 CHECK(nlen[n] <= 232);
6603 /* The top bit of the number. */
6604
6/6
✓ Branch 0 taken 2321 times.
✓ Branch 1 taken 23279 times.
✓ Branch 2 taken 1991 times.
✓ Branch 3 taken 330 times.
✓ Branch 4 taken 24578 times.
✓ Branch 5 taken 692 times.
25600 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
6605 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6606
4/4
✓ Branch 0 taken 24908 times.
✓ Branch 1 taken 692 times.
✓ Branch 2 taken 12528 times.
✓ Branch 3 taken 12380 times.
25600 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
6607 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6608
8/8
✓ Branch 0 taken 6532 times.
✓ Branch 1 taken 19068 times.
✓ Branch 2 taken 6355 times.
✓ Branch 3 taken 177 times.
✓ Branch 4 taken 3154 times.
✓ Branch 5 taken 3201 times.
✓ Branch 6 taken 16747 times.
✓ Branch 7 taken 2321 times.
25600 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_bits(3) / 8);
6609
6/6
✓ Branch 0 taken 24908 times.
✓ Branch 1 taken 692 times.
✓ Branch 2 taken 12528 times.
✓ Branch 3 taken 12380 times.
✓ Branch 4 taken 10367 times.
✓ Branch 5 taken 15233 times.
38820 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6610 10367 *certainly_not_der = 1;
6611 }
6612
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 25600 times.
25600 CHECK(nlen[n] + nzlen[n] <= 300);
6613 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6614
4/4
✓ Branch 0 taken 1039 times.
✓ Branch 1 taken 24561 times.
✓ Branch 2 taken 31 times.
✓ Branch 3 taken 1008 times.
25600 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6615
2/2
✓ Branch 0 taken 19068 times.
✓ Branch 1 taken 6532 times.
25600 if (!der) {
6616 /* nlenlen[n] max 127 bytes */
6617 19068 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6618 19068 nlenlen[n] += add;
6619
2/2
✓ Branch 0 taken 15075 times.
✓ Branch 1 taken 3993 times.
19068 if (add != 0) {
6620 15075 *certainly_not_der = 1;
6621 }
6622 }
6623
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 25600 times.
25600 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6624 }
6625
6626 /* The total length of the data to go, so far */
6627 12800 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6628
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
12800 CHECK(tlen <= 856);
6629
6630 /* The length of the garbage inside the tuple. */
6631
2/2
✓ Branch 0 taken 8606 times.
✓ Branch 1 taken 4194 times.
12800 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_bits(3) / 8;
6632
2/2
✓ Branch 0 taken 1121 times.
✓ Branch 1 taken 7485 times.
8606 if (elen != 0) {
6633 7485 *certainly_not_der = 1;
6634 }
6635 12800 tlen += elen;
6636
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
12800 CHECK(tlen <= 980);
6637
6638 /* The length of the garbage after the end of the tuple. */
6639
2/2
✓ Branch 0 taken 9534 times.
✓ Branch 1 taken 3266 times.
12800 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_bits(3) / 8;
6640
2/2
✓ Branch 0 taken 1278 times.
✓ Branch 1 taken 8256 times.
9534 if (glen != 0) {
6641 8256 *certainly_not_der = 1;
6642 }
6643
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
12800 CHECK(tlen + glen <= 990);
6644
6645 /* Write the tuple header. */
6646 12800 sig[(*len)++] = 0x30;
6647
2/2
✓ Branch 0 taken 928 times.
✓ Branch 1 taken 11872 times.
12800 if (indet) {
6648 /* Indeterminate length */
6649 928 sig[(*len)++] = 0x80;
6650 928 *certainly_not_der = 1;
6651 } else {
6652
4/4
✓ Branch 0 taken 6486 times.
✓ Branch 1 taken 5386 times.
✓ Branch 2 taken 3995 times.
✓ Branch 3 taken 2491 times.
11872 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6653
2/2
✓ Branch 0 taken 8606 times.
✓ Branch 1 taken 3266 times.
11872 if (!der) {
6654 8606 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_bits(4) * secp256k1_testrand_bits(4) / 256;
6655 8606 tlenlen += add;
6656
2/2
✓ Branch 0 taken 1825 times.
✓ Branch 1 taken 6781 times.
8606 if (add != 0) {
6657 6781 *certainly_not_der = 1;
6658 }
6659 }
6660
2/2
✓ Branch 0 taken 3717 times.
✓ Branch 1 taken 8155 times.
11872 if (tlenlen == 0) {
6661 /* Short length notation */
6662 3717 sig[(*len)++] = tlen;
6663 } else {
6664 /* Long length notation */
6665 8155 sig[(*len)++] = 128 + tlenlen;
6666 8155 assign_big_endian(sig + *len, tlenlen, tlen);
6667 8155 *len += tlenlen;
6668 }
6669 11872 tlen += tlenlen;
6670 }
6671 12800 tlen += 2;
6672
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
12800 CHECK(tlen + glen <= 1119);
6673
6674
2/2
✓ Branch 0 taken 25600 times.
✓ Branch 1 taken 12800 times.
38400 for (n = 0; n < 2; n++) {
6675 /* Write the integer header. */
6676 25600 sig[(*len)++] = 0x02;
6677
2/2
✓ Branch 0 taken 10307 times.
✓ Branch 1 taken 15293 times.
25600 if (nlenlen[n] == 0) {
6678 /* Short length notation */
6679 10307 sig[(*len)++] = nlen[n] + nzlen[n];
6680 } else {
6681 /* Long length notation. */
6682 15293 sig[(*len)++] = 128 + nlenlen[n];
6683 15293 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6684 15293 *len += nlenlen[n];
6685 }
6686 /* Write zero padding */
6687
2/2
✓ Branch 0 taken 134922 times.
✓ Branch 1 taken 25600 times.
160522 while (nzlen[n] > 0) {
6688 134922 sig[(*len)++] = 0x00;
6689 134922 nzlen[n]--;
6690 }
6691
4/4
✓ Branch 0 taken 1058 times.
✓ Branch 1 taken 24542 times.
✓ Branch 2 taken 330 times.
✓ Branch 3 taken 728 times.
25600 if (nlen[n] == 32 && !nlow[n]) {
6692 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6693 int i;
6694
2/2
✓ Branch 0 taken 5280 times.
✓ Branch 1 taken 330 times.
5610 for (i = 0; i < 16; i++) {
6695 5280 sig[(*len)++] = 0xFF;
6696 }
6697 330 nlen[n] -= 16;
6698 }
6699 /* Write first byte of number */
6700
2/2
✓ Branch 0 taken 24908 times.
✓ Branch 1 taken 692 times.
25600 if (nlen[n] > 0) {
6701 24908 sig[(*len)++] = nhbyte[n];
6702 24908 nlen[n]--;
6703 }
6704 /* Generate remaining random bytes of number */
6705 25600 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
6706 25600 *len += nlen[n];
6707 25600 nlen[n] = 0;
6708 }
6709
6710 /* Generate random garbage inside tuple. */
6711 12800 secp256k1_testrand_bytes_test(sig + *len, elen);
6712 12800 *len += elen;
6713
6714 /* Generate end-of-contents bytes. */
6715
2/2
✓ Branch 0 taken 928 times.
✓ Branch 1 taken 11872 times.
12800 if (indet) {
6716 928 sig[(*len)++] = 0;
6717 928 sig[(*len)++] = 0;
6718 928 tlen += 2;
6719 }
6720
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
12800 CHECK(tlen + glen <= 1121);
6721
6722 /* Generate random garbage outside tuple. */
6723 12800 secp256k1_testrand_bytes_test(sig + *len, glen);
6724 12800 *len += glen;
6725 12800 tlen += glen;
6726 12800 CHECK(tlen <= 1121);
6727
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
12800 CHECK(tlen == *len);
6728 12800 }
6729
6730 1 void run_ecdsa_der_parse(void) {
6731 1 int i,j;
6732
2/2
✓ Branch 0 taken 12800 times.
✓ Branch 1 taken 1 times.
12801 for (i = 0; i < 200 * count; i++) {
6733 12800 unsigned char buffer[2048];
6734 12800 size_t buflen = 0;
6735 12800 int certainly_der = 0;
6736 12800 int certainly_not_der = 0;
6737 12800 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
6738
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 12800 times.
12800 CHECK(buflen <= 2048);
6739
2/2
✓ Branch 0 taken 204800 times.
✓ Branch 1 taken 12800 times.
217600 for (j = 0; j < 16; j++) {
6740 204800 int ret = 0;
6741
2/2
✓ Branch 0 taken 192000 times.
✓ Branch 1 taken 12800 times.
204800 if (j > 0) {
6742 192000 damage_array(buffer, &buflen);
6743 /* We don't know anything anymore about the DERness of the result */
6744 192000 certainly_der = 0;
6745 192000 certainly_not_der = 0;
6746 }
6747 204800 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
6748
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 204800 times.
204800 if (ret != 0) {
6749 size_t k;
6750 fprintf(stderr, "Failure %x on ", ret);
6751 for (k = 0; k < buflen; k++) {
6752 fprintf(stderr, "%02x ", buffer[k]);
6753 }
6754 fprintf(stderr, "\n");
6755 }
6756
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 204800 times.
204800 CHECK(ret == 0);
6757 }
6758 }
6759 1 }
6760
6761 /* Tests several edge cases. */
6762 1 void test_ecdsa_edge_cases(void) {
6763 1 int t;
6764 1 secp256k1_ecdsa_signature sig;
6765
6766 /* Test the case where ECDSA recomputes a point that is infinity. */
6767 {
6768 1 secp256k1_gej keyj;
6769 1 secp256k1_ge key;
6770 1 secp256k1_scalar msg;
6771 1 secp256k1_scalar sr, ss;
6772 1 secp256k1_scalar_set_int(&ss, 1);
6773 1 secp256k1_scalar_negate(&ss, &ss);
6774 1 secp256k1_scalar_inverse(&ss, &ss);
6775 1 secp256k1_scalar_set_int(&sr, 1);
6776 1 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
6777 1 secp256k1_ge_set_gej(&key, &keyj);
6778 1 msg = ss;
6779
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6780 }
6781
6782 /* Verify signature with r of zero fails. */
6783 {
6784 1 const unsigned char pubkey_mods_zero[33] = {
6785 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6786 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6787 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6788 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6789 0x41
6790 };
6791 1 secp256k1_ge key;
6792 1 secp256k1_scalar msg;
6793 1 secp256k1_scalar sr, ss;
6794 1 secp256k1_scalar_set_int(&ss, 1);
6795 1 secp256k1_scalar_set_int(&msg, 0);
6796 1 secp256k1_scalar_set_int(&sr, 0);
6797
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
6798
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
6799 }
6800
6801 /* Verify signature with s of zero fails. */
6802 {
6803 1 const unsigned char pubkey[33] = {
6804 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6805 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6806 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6807 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6808 0x01
6809 };
6810 1 secp256k1_ge key;
6811 1 secp256k1_scalar msg;
6812 1 secp256k1_scalar sr, ss;
6813 1 secp256k1_scalar_set_int(&ss, 0);
6814 1 secp256k1_scalar_set_int(&msg, 0);
6815 1 secp256k1_scalar_set_int(&sr, 1);
6816
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6817
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6818 }
6819
6820 /* Verify signature with message 0 passes. */
6821 {
6822 1 const unsigned char pubkey[33] = {
6823 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6824 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6825 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6826 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6827 0x02
6828 };
6829 1 const unsigned char pubkey2[33] = {
6830 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6831 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6832 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6833 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6834 0x43
6835 };
6836 1 secp256k1_ge key;
6837 1 secp256k1_ge key2;
6838 1 secp256k1_scalar msg;
6839 1 secp256k1_scalar sr, ss;
6840 1 secp256k1_scalar_set_int(&ss, 2);
6841 1 secp256k1_scalar_set_int(&msg, 0);
6842 1 secp256k1_scalar_set_int(&sr, 2);
6843
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6844
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
6845
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6846
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6847 1 secp256k1_scalar_negate(&ss, &ss);
6848
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6849
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6850 1 secp256k1_scalar_set_int(&ss, 1);
6851
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6852
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
6853 }
6854
6855 /* Verify signature with message 1 passes. */
6856 {
6857 1 const unsigned char pubkey[33] = {
6858 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
6859 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
6860 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
6861 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
6862 0x25
6863 };
6864 1 const unsigned char pubkey2[33] = {
6865 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
6866 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
6867 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
6868 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
6869 0x62
6870 };
6871 1 const unsigned char csr[32] = {
6872 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6873 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6874 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
6875 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
6876 };
6877 1 secp256k1_ge key;
6878 1 secp256k1_ge key2;
6879 1 secp256k1_scalar msg;
6880 1 secp256k1_scalar sr, ss;
6881 1 secp256k1_scalar_set_int(&ss, 1);
6882 1 secp256k1_scalar_set_int(&msg, 1);
6883 1 secp256k1_scalar_set_b32(&sr, csr, NULL);
6884
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6885
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
6886
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6887
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6888 1 secp256k1_scalar_negate(&ss, &ss);
6889
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6890
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
6891 1 secp256k1_scalar_set_int(&ss, 2);
6892 1 secp256k1_scalar_inverse_var(&ss, &ss);
6893
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6894
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
6895 }
6896
6897 /* Verify signature with message -1 passes. */
6898 {
6899 1 const unsigned char pubkey[33] = {
6900 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
6901 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
6902 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
6903 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
6904 0xf1
6905 };
6906 1 const unsigned char csr[32] = {
6907 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6908 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6909 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
6910 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
6911 };
6912 1 secp256k1_ge key;
6913 1 secp256k1_scalar msg;
6914 1 secp256k1_scalar sr, ss;
6915 1 secp256k1_scalar_set_int(&ss, 1);
6916 1 secp256k1_scalar_set_int(&msg, 1);
6917 1 secp256k1_scalar_negate(&msg, &msg);
6918 1 secp256k1_scalar_set_b32(&sr, csr, NULL);
6919
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
6920
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6921 1 secp256k1_scalar_negate(&ss, &ss);
6922
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
6923 1 secp256k1_scalar_set_int(&ss, 3);
6924 1 secp256k1_scalar_inverse_var(&ss, &ss);
6925
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
6926 }
6927
6928 /* Signature where s would be zero. */
6929 {
6930 1 secp256k1_pubkey pubkey;
6931 1 size_t siglen;
6932 1 int32_t ecount;
6933 1 unsigned char signature[72];
6934 1 static const unsigned char nonce[32] = {
6935 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6936 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6937 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6938 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6939 };
6940 1 static const unsigned char nonce2[32] = {
6941 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6942 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6943 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6944 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
6945 };
6946 1 const unsigned char key[32] = {
6947 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6948 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6949 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6950 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6951 };
6952 1 unsigned char msg[32] = {
6953 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
6954 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
6955 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
6956 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
6957 };
6958 1 ecount = 0;
6959
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
6960
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
6961
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
6962 1 msg[31] = 0xaa;
6963
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
6964
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 0);
6965
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
6966
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
6967
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
6968
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
6969
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
6970
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 3);
6971
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
6972
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
6973
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
6974
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 4);
6975
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
6976
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 5);
6977
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
6978
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 6);
6979
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
6980
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 6);
6981
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
6982
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 7);
6983 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
6984
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
6985
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 8);
6986 1 siglen = 72;
6987
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
6988
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 9);
6989
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
6990
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 10);
6991
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
6992
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 11);
6993
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
6994
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 11);
6995
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
6996
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 12);
6997
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
6998
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 13);
6999
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
7000
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 13);
7001 1 siglen = 10;
7002 /* Too little room for a signature does not fail via ARGCHECK. */
7003
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
7004
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 13);
7005 1 ecount = 0;
7006
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
7007
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 1);
7008
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
7009
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 2);
7010
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
7011
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 3);
7012
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
7013
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 3);
7014
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
7015
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 4);
7016
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
7017
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 5);
7018
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
7019
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 5);
7020 1 memset(signature, 255, 64);
7021
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
7022
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(ecount == 5);
7023
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
7024 }
7025
7026 /* Nonce function corner cases. */
7027
2/2
✓ Branch 0 taken 2 times.
✓ Branch 1 taken 1 times.
3 for (t = 0; t < 2; t++) {
7028 2 static const unsigned char zero[32] = {0x00};
7029 2 int i;
7030 2 unsigned char key[32];
7031 2 unsigned char msg[32];
7032 2 secp256k1_ecdsa_signature sig2;
7033 2 secp256k1_scalar sr[512], ss;
7034 2 const unsigned char *extra;
7035
2/2
✓ Branch 0 taken 1 times.
✓ Branch 1 taken 1 times.
2 extra = t == 0 ? NULL : zero;
7036 2 memset(msg, 0, 32);
7037 2 msg[31] = 1;
7038 /* High key results in signature failure. */
7039 2 memset(key, 0xFF, 32);
7040
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
7041
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(is_empty_signature(&sig));
7042 /* Zero key results in signature failure. */
7043 2 memset(key, 0, 32);
7044
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
7045
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(is_empty_signature(&sig));
7046 /* Nonce function failure results in signature failure. */
7047 2 key[31] = 1;
7048
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7049
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(is_empty_signature(&sig));
7050 /* The retry loop successfully makes its way to the first good value. */
7051
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7052
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(!is_empty_signature(&sig));
7053
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7054
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(!is_empty_signature(&sig2));
7055
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7056 /* The default nonce function is deterministic. */
7057
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 2 times.
2 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
7058
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(!is_empty_signature(&sig2));
7059
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
2 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7060 /* The default nonce function changes output with different messages. */
7061
2/2
✓ Branch 0 taken 512 times.
✓ Branch 1 taken 2 times.
514 for(i = 0; i < 256; i++) {
7062 512 int j;
7063 512 msg[0] = i;
7064
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
512 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
7065
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 512 times.
512 CHECK(!is_empty_signature(&sig2));
7066 512 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
7067
2/2
✓ Branch 1 taken 65280 times.
✓ Branch 2 taken 512 times.
66304 for (j = 0; j < i; j++) {
7068
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 65280 times.
65280 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7069 }
7070 }
7071 2 msg[0] = 0;
7072 2 msg[31] = 2;
7073 /* The default nonce function changes output with different keys. */
7074
2/2
✓ Branch 0 taken 512 times.
✓ Branch 1 taken 2 times.
514 for(i = 256; i < 512; i++) {
7075 512 int j;
7076 512 key[0] = i - 256;
7077
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 512 times.
512 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
7078
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 512 times.
512 CHECK(!is_empty_signature(&sig2));
7079 512 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
7080
2/2
✓ Branch 1 taken 196352 times.
✓ Branch 2 taken 512 times.
197376 for (j = 0; j < i; j++) {
7081
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 196352 times.
196352 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7082 }
7083 }
7084 2 key[0] = 0;
7085 }
7086
7087 {
7088 /* Check that optional nonce arguments do not have equivalent effect. */
7089 1 const unsigned char zeros[32] = {0};
7090 1 unsigned char nonce[32];
7091 1 unsigned char nonce2[32];
7092 1 unsigned char nonce3[32];
7093 1 unsigned char nonce4[32];
7094 1 VG_UNDEF(nonce,32);
7095 1 VG_UNDEF(nonce2,32);
7096 1 VG_UNDEF(nonce3,32);
7097 1 VG_UNDEF(nonce4,32);
7098
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7099 1 VG_CHECK(nonce,32);
7100
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7101 1 VG_CHECK(nonce2,32);
7102
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7103 1 VG_CHECK(nonce3,32);
7104
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7105 VG_CHECK(nonce4,32);
7106
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7107
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7108
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7109
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7110
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7111
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7112 }
7113
7114
7115 /* Privkey export where pubkey is the point at infinity. */
7116 {
7117 1 unsigned char privkey[300];
7118 1 unsigned char seckey[32] = {
7119 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7120 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
7121 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
7122 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
7123 };
7124 1 size_t outlen = 300;
7125
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
7126 1 outlen = 300;
7127
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
7128 }
7129 1 }
7130
7131 1 void run_ecdsa_edge_cases(void) {
7132 test_ecdsa_edge_cases();
7133 }
7134
7135 #ifdef ENABLE_MODULE_BPPP
7136 # include "modules/bppp/tests_impl.h"
7137 #endif
7138
7139 #ifdef ENABLE_MODULE_ECDH
7140 # include "modules/ecdh/tests_impl.h"
7141 #endif
7142
7143 #ifdef ENABLE_MODULE_MUSIG
7144 # include "modules/musig/tests_impl.h"
7145 #endif
7146
7147 #ifdef ENABLE_MODULE_RECOVERY
7148 # include "modules/recovery/tests_impl.h"
7149 #endif
7150
7151 #ifdef ENABLE_MODULE_GENERATOR
7152 # include "modules/generator/tests_impl.h"
7153 #endif
7154
7155 #ifdef ENABLE_MODULE_RANGEPROOF
7156 # include "modules/rangeproof/tests_impl.h"
7157 #endif
7158
7159 #ifdef ENABLE_MODULE_WHITELIST
7160 # include "modules/whitelist/tests_impl.h"
7161 #endif
7162
7163 #ifdef ENABLE_MODULE_SURJECTIONPROOF
7164 # include "modules/surjection/tests_impl.h"
7165 #endif
7166
7167 #ifdef ENABLE_MODULE_EXTRAKEYS
7168 # include "modules/extrakeys/tests_impl.h"
7169 #endif
7170
7171 #ifdef ENABLE_MODULE_SCHNORRSIG
7172 # include "modules/schnorrsig/tests_impl.h"
7173 #endif
7174
7175 #ifdef ENABLE_MODULE_ECDSA_S2C
7176 # include "modules/ecdsa_s2c/tests_impl.h"
7177 #endif
7178
7179 #ifdef ENABLE_MODULE_ECDSA_ADAPTOR
7180 # include "modules/ecdsa_adaptor/tests_impl.h"
7181 #endif
7182
7183 1 void run_secp256k1_memczero_test(void) {
7184 1 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7185 1 unsigned char buf2[sizeof(buf1)];
7186
7187 /* secp256k1_memczero(..., ..., 0) is a noop. */
7188 1 memcpy(buf2, buf1, sizeof(buf1));
7189
2/2
✓ Branch 0 taken 6 times.
✓ Branch 1 taken 1 times.
8 secp256k1_memczero(buf1, sizeof(buf1), 0);
7190
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7191
7192 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7193 1 memset(buf2, 0, sizeof(buf2));
7194
2/2
✓ Branch 0 taken 6 times.
✓ Branch 1 taken 1 times.
8 secp256k1_memczero(buf1, sizeof(buf1) , 1);
7195
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7196 1 }
7197
7198 1 void run_secp256k1_byteorder_tests(void) {
7199 1 const uint32_t x = 0xFF03AB45;
7200 1 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7201 1 unsigned char buf[4];
7202 1 uint32_t x_;
7203
7204
2/2
✓ Branch 0 taken 4 times.
✓ Branch 1 taken 1 times.
5 secp256k1_write_be32(buf, x);
7205
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7206
7207 1 x_ = secp256k1_read_be32(buf);
7208 1 CHECK(x == x_);
7209 1 }
7210
7211 1 void int_cmov_test(void) {
7212 1 int r = INT_MAX;
7213 1 int a = 0;
7214
7215
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_int_cmov(&r, &a, 0);
7216
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(r == INT_MAX);
7217
7218 1 r = 0; a = INT_MAX;
7219
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_int_cmov(&r, &a, 1);
7220
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(r == INT_MAX);
7221
7222 1 a = 0;
7223
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_int_cmov(&r, &a, 1);
7224
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(r == 0);
7225
7226 1 a = 1;
7227
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_int_cmov(&r, &a, 1);
7228
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(r == 1);
7229
7230 1 r = 1; a = 0;
7231
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_int_cmov(&r, &a, 0);
7232
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 CHECK(r == 1);
7233
7234 1 }
7235
7236 1 void fe_cmov_test(void) {
7237 1 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7238 1 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7239 1 static const secp256k1_fe max = SECP256K1_FE_CONST(
7240 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7241 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7242 );
7243 1 secp256k1_fe r = max;
7244 1 secp256k1_fe a = zero;
7245
7246 1 secp256k1_fe_cmov(&r, &a, 0);
7247
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7248
7249 1 r = zero; a = max;
7250 1 secp256k1_fe_cmov(&r, &a, 1);
7251
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7252
7253 1 a = zero;
7254 1 secp256k1_fe_cmov(&r, &a, 1);
7255
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7256
7257 1 a = one;
7258 1 secp256k1_fe_cmov(&r, &a, 1);
7259
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7260
7261 1 r = one; a = zero;
7262 1 secp256k1_fe_cmov(&r, &a, 0);
7263
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7264 1 }
7265
7266 1 void fe_storage_cmov_test(void) {
7267 1 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7268 1 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7269 1 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
7270 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7271 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7272 );
7273 1 secp256k1_fe_storage r = max;
7274 1 secp256k1_fe_storage a = zero;
7275
7276 1 secp256k1_fe_storage_cmov(&r, &a, 0);
7277
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7278
7279 1 r = zero; a = max;
7280 1 secp256k1_fe_storage_cmov(&r, &a, 1);
7281
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7282
7283 1 a = zero;
7284 1 secp256k1_fe_storage_cmov(&r, &a, 1);
7285
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7286
7287 1 a = one;
7288 1 secp256k1_fe_storage_cmov(&r, &a, 1);
7289
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7290
7291 1 r = one; a = zero;
7292 1 secp256k1_fe_storage_cmov(&r, &a, 0);
7293
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7294 1 }
7295
7296 1 void scalar_cmov_test(void) {
7297 1 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7298 1 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7299 1 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7300 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7301 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7302 );
7303 1 secp256k1_scalar r = max;
7304 1 secp256k1_scalar a = zero;
7305
7306 1 secp256k1_scalar_cmov(&r, &a, 0);
7307
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7308
7309 1 r = zero; a = max;
7310 1 secp256k1_scalar_cmov(&r, &a, 1);
7311
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7312
7313 1 a = zero;
7314 1 secp256k1_scalar_cmov(&r, &a, 1);
7315
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7316
7317 1 a = one;
7318 1 secp256k1_scalar_cmov(&r, &a, 1);
7319
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7320
7321 1 r = one; a = zero;
7322 1 secp256k1_scalar_cmov(&r, &a, 0);
7323
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7324 1 }
7325
7326 1 void ge_storage_cmov_test(void) {
7327 1 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7328 1 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7329 1 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
7330 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7331 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7332 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7333 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7334 );
7335 1 secp256k1_ge_storage r = max;
7336 1 secp256k1_ge_storage a = zero;
7337
7338 1 secp256k1_ge_storage_cmov(&r, &a, 0);
7339
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7340
7341 1 r = zero; a = max;
7342 1 secp256k1_ge_storage_cmov(&r, &a, 1);
7343
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7344
7345 1 a = zero;
7346 1 secp256k1_ge_storage_cmov(&r, &a, 1);
7347
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7348
7349 1 a = one;
7350 1 secp256k1_ge_storage_cmov(&r, &a, 1);
7351
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7352
7353 1 r = one; a = zero;
7354 1 secp256k1_ge_storage_cmov(&r, &a, 0);
7355
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
2 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7356 1 }
7357
7358 1 void run_cmov_tests(void) {
7359 1 int_cmov_test();
7360 1 fe_cmov_test();
7361 1 fe_storage_cmov_test();
7362 1 scalar_cmov_test();
7363 1 ge_storage_cmov_test();
7364 1 }
7365
7366 1 int main(int argc, char **argv) {
7367 /* Disable buffering for stdout to improve reliability of getting
7368 * diagnostic information. Happens right at the start of main because
7369 * setbuf must be used before any other operation on the stream. */
7370 1 setbuf(stdout, NULL);
7371 /* Also disable buffering for stderr because it's not guaranteed that it's
7372 * unbuffered on all systems. */
7373 1 setbuf(stderr, NULL);
7374
7375 /* find iteration count */
7376
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 if (argc > 1) {
7377 count = strtol(argv[1], NULL, 0);
7378 } else {
7379 1 const char* env = getenv("SECP256K1_TEST_ITERS");
7380
1/4
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
✗ Branch 2 not taken.
✗ Branch 3 not taken.
1 if (env && strlen(env) > 0) {
7381 count = strtol(env, NULL, 0);
7382 }
7383 }
7384
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 if (count <= 0) {
7385 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7386 return EXIT_FAILURE;
7387 }
7388 1 printf("test count = %i\n", count);
7389
7390 /* find random seed */
7391
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
1 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
7392
7393 /* initialize */
7394 1 run_context_tests(0);
7395 1 run_context_tests(1);
7396 1 run_scratch_tests();
7397 1 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
7398
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 1 times.
1 if (secp256k1_testrand_bits(1)) {
7399 unsigned char rand32[32];
7400 secp256k1_testrand256(rand32);
7401 CHECK(secp256k1_context_randomize(ctx, secp256k1_testrand_bits(1) ? rand32 : NULL));
7402 }
7403
7404 1 run_rand_bits();
7405 1 run_rand_int();
7406 1 run_util_tests();
7407
7408 1 run_ctz_tests();
7409 1 run_modinv_tests();
7410 1 run_inverse_tests();
7411
7412 1 run_sha256_known_output_tests();
7413 1 run_sha256_counter_tests();
7414 1 run_hmac_sha256_tests();
7415 1 run_rfc6979_hmac_sha256_tests();
7416 1 run_tagged_sha256_tests();
7417
7418 /* scalar tests */
7419 1 run_scalar_tests();
7420
7421 /* field tests */
7422 1 run_field_half();
7423 1 run_field_misc();
7424 1 run_field_convert();
7425 1 run_fe_mul();
7426 1 run_sqr();
7427 1 run_sqrt();
7428
7429 /* group tests */
7430 1 run_ge();
7431 1 run_gej();
7432 1 run_group_decompress();
7433
7434 /* ecmult tests */
7435 1 run_ecmult_pre_g();
7436 1 run_wnaf();
7437 1 run_point_times_order();
7438 1 run_ecmult_near_split_bound();
7439 1 run_ecmult_chain();
7440 1 run_ecmult_constants();
7441 1 run_ecmult_gen_blind();
7442 1 run_ecmult_const_tests();
7443 1 run_ecmult_multi_tests();
7444 1 run_ec_combine();
7445 1 run_ec_commit();
7446
7447 /* endomorphism tests */
7448 1 run_endomorphism_tests();
7449
7450 /* EC point parser test */
7451 1 run_ec_pubkey_parse_test();
7452
7453 /* EC key edge cases */
7454 1 run_eckey_edge_case_test();
7455
7456 /* EC key arithmetic test */
7457 1 run_eckey_negate_test();
7458
7459 #ifdef ENABLE_MODULE_BPPP
7460 run_bppp_tests();
7461 #endif
7462
7463 #ifdef ENABLE_MODULE_ECDH
7464 /* ecdh tests */
7465 run_ecdh_tests();
7466 #endif
7467
7468 #ifdef ENABLE_MODULE_MUSIG
7469 run_musig_tests();
7470 #endif
7471
7472 /* ecdsa tests */
7473 1 run_pubkey_comparison();
7474 1 run_random_pubkeys();
7475 1 run_ecdsa_der_parse();
7476 1 run_ecdsa_sign_verify();
7477 1 run_ecdsa_end_to_end();
7478 1 run_ecdsa_edge_cases();
7479
7480 #ifdef ENABLE_MODULE_RECOVERY
7481 /* ECDSA pubkey recovery tests */
7482 run_recovery_tests();
7483 #endif
7484
7485 #ifdef ENABLE_MODULE_GENERATOR
7486 run_generator_tests();
7487 #endif
7488
7489 #ifdef ENABLE_MODULE_RANGEPROOF
7490 run_rangeproof_tests();
7491 #endif
7492
7493 #ifdef ENABLE_MODULE_WHITELIST
7494 /* Key whitelisting tests */
7495 run_whitelist_tests();
7496 #endif
7497
7498 #ifdef ENABLE_MODULE_SURJECTIONPROOF
7499 run_surjection_tests();
7500 #endif
7501
7502 #ifdef ENABLE_MODULE_EXTRAKEYS
7503 1 run_extrakeys_tests();
7504 #endif
7505
7506 #ifdef ENABLE_MODULE_SCHNORRSIG
7507 1 run_schnorrsig_tests();
7508 #endif
7509
7510 #ifdef ENABLE_MODULE_ECDSA_S2C
7511 /* ECDSA sign to contract */
7512 run_ecdsa_s2c_tests();
7513 #endif
7514
7515 #ifdef ENABLE_MODULE_ECDSA_ADAPTOR
7516 run_ecdsa_adaptor_tests();
7517 #endif
7518
7519 /* util tests */
7520 1 run_secp256k1_memczero_test();
7521 1 run_secp256k1_byteorder_tests();
7522
7523 1 run_cmov_tests();
7524
7525 1 secp256k1_testrand_finish();
7526
7527 /* shutdown */
7528 1 secp256k1_context_destroy(ctx);
7529
7530 1 printf("no problems found\n");
7531 1 return 0;
7532 }
7533